From owner-freebsd-net Sat Sep 21 4:52:52 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A33337B401 for ; Sat, 21 Sep 2002 04:52:51 -0700 (PDT) Received: from overlord.e-gerbil.net (e-gerbil.net [64.186.142.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C7F343E75 for ; Sat, 21 Sep 2002 04:52:51 -0700 (PDT) (envelope-from ras@e-gerbil.net) Received: by overlord.e-gerbil.net (Postfix, from userid 1000) id 6DB3915E47; Sat, 21 Sep 2002 07:52:45 -0400 (EDT) Date: Sat, 21 Sep 2002 07:52:45 -0400 From: Richard A Steenbergen To: Petri Helenius Cc: freebsd-net@freebsd.org Subject: Re: pcap & bpf Message-ID: <20020921115245.GA1123@overlord.e-gerbil.net> References: <3D8C35E2.803199B3@he.iki.fi> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D8C35E2.803199B3@he.iki.fi> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 21, 2002 at 12:03:30PM +0300, Petri Helenius wrote: > (I'm sending a copy here since I'm running this on FreeBSD and got > no reply so far from the tcpdump folks) > > Function pcap_open_live in pcap-bpf.c contains the code snippet below. > > To me, this does not make too much sense, because: > - if v is too big to be accommodated (either by configuration or > resources, BIOCSBLEN will fail. However the code ignores the return > code Read the comments and the rest of the code in the section you pasted. /* * Try finding a good size for the buffer; 32768 may be too * big, so keep cutting it in half until we find a size * that works, or run out of sizes to try. * * XXX - there should be a user-accessible hook to set the * initial buffer size. */ It couldn't get any blunter if they used a hammer. :) > - it then proceeds to BIOCSETIF which will succeed either with the > bufsize of 32768 or whatever is default in the OS. > > Suggestions: > - Do not touch the buffer size (at least without giving the option > to specify the size) debug.bpf_bufsize: 4096 debug.bpf_maxbufsize: 524288 32k is already a bump up from the default of 4k, which at the time that was set (and hard coded) probably seemed "good enough". Obviously as interfaces have gotten faster, that number has become out of date. Yes they SHOULD make it pcap-user tunable, the comment even says so, but until they do... Well it should be really really simple to add a hook for changing it, if you wanted to try submitting it to the pcap folks. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message