From owner-freebsd-hackers Fri Dec 8 0:38:43 2000 From owner-freebsd-hackers@FreeBSD.ORG Fri Dec 8 00:38:41 2000 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from c014.sfo.cp.net (c014-h017.c014.sfo.cp.net [209.228.12.81]) by hub.freebsd.org (Postfix) with SMTP id 5C6F437B400 for ; Fri, 8 Dec 2000 00:38:41 -0800 (PST) Received: (cpmta 28065 invoked from network); 8 Dec 2000 00:38:40 -0800 Received: from d8c81e5f.dsl.flashcom.net (HELO quadrajet.flashcom.com) (216.200.30.95) by smtp.flashcom.net (209.228.12.81) with SMTP; 8 Dec 2000 00:38:40 -0800 X-Sent: 8 Dec 2000 08:38:40 GMT Received: (from guy@localhost) by quadrajet.flashcom.com (8.9.3/8.9.3) id AAA00405; Fri, 8 Dec 2000 00:38:39 -0800 (PST) (envelope-from gharris) Date: Fri, 8 Dec 2000 00:38:39 -0800 From: Guy Harris To: Guy Harris Cc: Matt Dillon , Dragos Ruiu , tcpdump-workers@tcpdump.org, ethereal-dev@ethereal.com, snort-devel@lists.sourceforge.net, freebsd-hackers@FreeBSD.ORG, tech@openbsd.org Subject: Re: [Ethereal-dev] Re: Fwd: kyxtech: freebsd outsniffed by wintendo !!?!? Message-ID: <20001208003839.A352@quadrajet.flashcom.com> References: <0012072118150Q.09615@smp.kyx.net> <200012080547.eB85lKc17216@earth.backplane.com> <20001207233958.C352@quadrajet.flashcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20001207233958.C352@quadrajet.flashcom.com>; from gharris@flashcom.net on Thu, Dec 07, 2000 at 11:39:58PM -0800 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Dec 07, 2000 at 11:39:58PM -0800, Guy Harris wrote: > Or, as per my other mail, perhaps using, on Windows, a version of the > standard I/O library that does bigger writes, hence fewer system calls. Nope. According to "strace for NT": http://www.securiteam.com/tools/Strace_for_NT_-_low_level_system_calls_tracer.html and the Windows(R) NT(R)/2000 Native API Reference: http://www.newriders.com/books/title.cfm?isbn=1578701996 it's doing 4K writes in the underlying NT system call "NtWriteFile()". I suspect that running the test on FreeBSD 4.x and tweaking libpcap to use a 512KB buffer might make a big difference here. At this point, we might want to limit followups to one or more of: tcpdump-workers@tcpdump.org - for discussing changes to libpcap to allow the buffer size to be set from an application and/or changing the size it initially tries on BSD (the current version in CVS starts at 32768 and keeps dividing that in half until it finds something that works); freebsd-hackers@freebsd.org, tech@openbsd.org - for discussing changes to allow the buffer size to be changes with BIOCSBLEN even if the BPF device is attached to an interface. (Both FreeBSD and OpenBSD have the maximum buffer size for BPF as 512KB in the top of the CVS tree; NetBSD still has it as 32K.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message