From owner-freebsd-net@FreeBSD.ORG  Sat Apr 16 06:46:37 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 18635106564A
	for <freebsd-net@freebsd.org>; Sat, 16 Apr 2011 06:46:37 +0000 (UTC)
	(envelope-from yanegomi@gmail.com)
Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com
	[209.85.160.54])
	by mx1.freebsd.org (Postfix) with ESMTP id C64388FC0A
	for <freebsd-net@freebsd.org>; Sat, 16 Apr 2011 06:46:36 +0000 (UTC)
Received: by pwj8 with SMTP id 8so1863977pwj.13
	for <freebsd-net@freebsd.org>; Fri, 15 Apr 2011 23:46:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:date:message-id:subject:from:to
	:content-type; bh=FXd79Oe5hpnCs4N6fjHPd3GT4au2G3AFYmZHM7/eSBg=;
	b=xETH4Eej2b92dvVJwghNe/nGrblKJkgiEwnI7N2tagrn9XmMxvhMsuyCVVQLYZMwml
	skEYXL8OVVy+iZ6rLANJHiGmVuR5/B0xaYacQ35CEhxJR5qhsfGdE24eb++d6Pp/FUaW
	syEbaQOHJone9EuvERDcb9TFtZ1aVwuKlYqLk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=AZLhHeP29tjlDXC2LWzmt5a2hJ24XsLUJBx54J5ksgsNfiOwDQIifjQg+lF1A6rHfT
	XdB0+7zXeXO+KvE4zoc75CQdgIZAp6TbsJZrVg039kugH6dr0saX3RQf450X/8CFez6w
	IiXAHcrBB6yFhkdkJ4NhDkqPEuNa2CfgOU63Y=
MIME-Version: 1.0
Received: by 10.68.39.137 with SMTP id p9mr2925680pbk.145.1302936396235; Fri,
	15 Apr 2011 23:46:36 -0700 (PDT)
Received: by 10.68.42.3 with HTTP; Fri, 15 Apr 2011 23:46:36 -0700 (PDT)
Date: Fri, 15 Apr 2011 23:46:36 -0700
Message-ID: <BANLkTi=Pf+hmQ2VUZHjU19-L-=5QZ7ChGQ@mail.gmail.com>
From: Garrett Cooper <yanegomi@gmail.com>
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: tcpdump allocates more mbufs than allowed by bpf(4)?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Apr 2011 06:46:37 -0000

Hello,
    I did some poking around tcpdump for work today, and while doing
that I ran into this item...

$ sysctl net.bpf
net.bpf.zerocopy_enable: 0
net.bpf.maxinsns: 512
net.bpf.maxbufsize: 524288
net.bpf.bufsize: 4096

    Before I start tcpdump:

$ vmstat -m | grep BPF
          BPF    26    12K       -      127  16,128,512,4096

    After I start tcpdump:

$ vmstat -m | grep BPF
          BPF    30  1036K       -      127  16,128,512,4096

    The value set is of course 2*net.bpf.maxbufsize, not 32kB like one
of the authors did in [1]. I was wondering why this particular limit
isn't being strictly adhered to at the kernel level, except when
dealing with the BPF, or if this maximum buffer size is designed to be
a per buffer length. It looks like the latter based on what I saw in
/sys/net/bpf_buffer.c, but I just wanted to clarify that that was the
intended effect.
Thanks!
-Garrett

1. https://github.com/mcr/libpcap/commit/e154e275c22d803ce187e97dfbef19a26707c0ed