Date: Thu, 08 Jun 2006 20:16:02 -0400 From: Chuck Swiger <cswiger@mac.com> To: Paul Schmehl <pauls@utdallas.edu> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Tcpdump dropping packets Message-ID: <4488BDC2.5010807@mac.com> In-Reply-To: <4488A431.5070306@utdallas.edu> References: <4487245C.6070807@utdallas.edu> <44876F3C.9020409@mac.com> <4488A431.5070306@utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Schmehl wrote: > Chuck Swiger wrote: >> >> Check sysctl debug.bpf_bufsize, but also do a search on this because >> there may be a patch needed for PCAP in order for buffers larger than >> 32K to actually work. [1] >> > Hmmm.... > > sysctl debug.bpf_bufsize > sysctl: unknown oid 'debug.bpf_bufsize' This sysctl has changed names over time, it seems, and thus may vary depending on which version of FreeBSD you have. > sysctl -a | grep bufsize > net.bpf.maxbufsize: 524288 > net.bpf.bufsize: 4096 > > I assume bufsize is the default? And maxbufsize is as high as it can > go? So it defaults to 4 megs and maxes out at 512 megs? I think those sizes may be measured in bytes, not MB. :-) > If true, how would I go about calculating a sufficiently large maxbufsize? I suspect that you will have to adjust the KVA region size to really increase the BPF buffer size. Tuning this stuff requires some experimentation, probably, although I will happily defer to someone with more knowledge... > If I have approximate 150Mbps traffic, how much has to be held in the buffer? You'd like to be able to hold several times as much data as arrives per quantum (ie, 1ms if HZ=1000) to handle peaks and the machine getting busy with something else and not draining the buffer immediately. Ie, you'd want on the order of a few hundred KB of buffer space at 150Mbps, but your disks would have to be able to sustain 20+ MB/s continuous writes if you plan to keep all of the traffic, or you'd have to filter and do whatever live processing at that type of data rate, or else you'll drop huge amounts of traffic. [ I'm tempted to suggest you call your local phone company and ask them to recommend a wirespeed Internet recorder/analyzer. ] -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4488BDC2.5010807>