Fragmented unix_dgram output
I am reading EVE-alerts from a Unix datagram socket. When alerts are large enough – 4096 bytes or more – they get split up into multiple datagrams, kinda destroying the point of them in the first place.
From poking around in the source, I'm guessing this is because Suricata uses fwrite to send data to the socket instead of write, which streans the data in PIPE_BUF (=4096 bytes on Linux) chunks internally.
Updated by Victor Julien about 5 years ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Jason Ish
- Target version changed from TBD to 4.0beta1
Looks like this was fixed by https://github.com/OISF/suricata/commit/59b98649de2fad5594756983b3a86c940a3575c7 in the 4.0 development cycle.
Thanks for circling back!