Suricata

I am reading EVE-alerts from a Unix datagram socket. When alerts are large enough – 4096 bytes or more – they get split up into multiple datagrams, kinda destroying the point of them in the first place.

From poking around in the source, I'm guessing this is because Suricata uses fwrite to send data to the socket instead of write, which streans the data in PIPE_BUF (=4096 bytes on Linux) chunks internally.

Relevant code:
https://github.com/inliniac/suricata/blob/271bd045396b618cd52079be17ca083c4931f87e/src/util-logopenfile.c#L143