Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 01 Dec 2000 10:03:05 -0600
From:      Carlos Garcia <carlos_garcia@tds.com>
To:        hackers@FreeBSD.org, carlos_garcia@tds.com
Subject:   bpf and libpcap (freebsd packet capture)
Message-ID:  <3A27CBB8.D169CDF8@tds.com>
next in thread | raw e-mail | index | archive | help 
hackers@freebsd.org:

I have two questions that concern enhancing the freebsd packet capture.
I am looking into doing some source code changes for bpf, libpcap, and
the
kernel, if necessary, to increase the performance of packet capture for
a custom
sniffer on a loaded network.  Now what I read was increasing the bpf
buffer size to
256K rather than the default 32K.  Can we increase this more?  Can you
please
help me or rather point me in the right direction.

Question 1:
 It I want to increase the buffer size of the bpf which #define would
 I have to change?  I found a few BUF variables.  The reason is that I
 want to sniff on a loaded 100Mbs network without dropping any packets.
 I found these variables:
 bpf.c:#define BPF_BUFSIZE (MCLBYTES-8)
 bpf.c:#define BPF_BUFSIZE 4096
 bpf.h:#define BPF_MAXBUFSIZE 0x8000
 bpf.h:#define BPF_MINBUFSIZE 32
 My guess is that it is the #define BPF_MINBUFSIZE 32 because I read
 that the default buffer is 32K and I want to change it to 256K.
 Is this the right variable to change? or do I have to change code of
 libpcap files:
 pcap-enet.c:#define BUFSPACE (4*1024)
 pcap-nit.c:#define BUFSPACE (4*CHUNKSIZE)
 pcap-pf.c:#define BUFSPACE (200 * 256)
 pcap-snit.c:#define BUFSPACE (4*CHUNKSIZE)
 pcap.h:#define PCAP_ERRBUF_SIZE 256

Question 2:
 It seems after my testing if you insert a very large bpf filter rule to

the bpf device, it breaks.  My testing involved filtering in a few
services/ports and external traffic to and from about 20 different ips
and to
exclude any internal traffic of the 20, which I can't subnet because
they are
not grouped together.  The filter rule grows extreming large, which I
thinks
overruns the stack or address space for bpf.  Is there any default
variable that can increase the
actucal filter rule or filter rule buffer?  My collegue, hack the number
of
instructions that is passed to pcap, but it still breaks it.  Can you
point me
where to look in order to increase the filter rule.

Thanks,
Carlos R. Garcia





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A27CBB8.D169CDF8>