From owner-freebsd-net Sat Sep 21 2: 3:38 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD7EF37B401 for ; Sat, 21 Sep 2002 02:03:36 -0700 (PDT) Received: from silver.he.iki.fi (silver.he.iki.fi [193.64.42.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8512143E6A for ; Sat, 21 Sep 2002 02:03:35 -0700 (PDT) (envelope-from pete@he.iki.fi) Received: from he.iki.fi (localhost.he.iki.fi [127.0.0.1]) by silver.he.iki.fi (8.12.5/8.11.4) with ESMTP id g8L93V0x098624 for ; Sat, 21 Sep 2002 12:03:33 +0300 (EEST) (envelope-from pete@he.iki.fi) Message-ID: <3D8C35E2.803199B3@he.iki.fi> Date: Sat, 21 Sep 2002 12:03:30 +0300 From: Petri Helenius X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.6-STABLE i386) X-Accept-Language: en,fi MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: pcap & bpf Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org (I'm sending a copy here since I'm running this on FreeBSD and got no reply so far from the tcpdump folks) Function pcap_open_live in pcap-bpf.c contains the code snippet below. To me, this does not make too much sense, because: - if v is too big to be accommodated (either by configuration or resources, BIOCSBLEN will fail. However the code ignores the return code - it then proceeds to BIOCSETIF which will succeed either with the bufsize of 32768 or whatever is default in the OS. Suggestions: - Do not touch the buffer size (at least without giving the option to specify the size) - If some operating systems really need touching the buffersize, do BIOCGBLEN first to figure out what you got and in any case don't make the bufsize smaller than it was (reason: doing highspeed capture with 32k buffer is futile) I staticly linked with patched library with large buffers and it works happily, before that the system dropped a few thousand packets a minute. Pete /* * Try finding a good size for the buffer; 32768 may be too * big, so keep cutting it in half until we find a size * that works, or run out of sizes to try. * * XXX - there should be a user-accessible hook to set the * initial buffer size. */ for (v = 32768; v != 0; v >>= 1) { /* Ignore the return value - this is because the call fails * on BPF systems that don't have kernel malloc. And if * the call fails, it's no big deal, we just continue to * use the standard buffer size. */ (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v); (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0) break; /* that size worked; we're done */ if (errno != ENOBUFS) { snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s", device, pcap_strerror(errno)); goto bad; } } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message