tcpdump mailing list archives
Re: Libpcap on BPF
From: Guy Harris <guy () alum mit edu>
Date: Thu, 11 Sep 2003 02:05:46 -0700
(Digging up old mail on this because of a gripe on one of the FreeBSD mailing lists.) On Fri, Jun 14, 2002 at 05:29:23PM -0700, José María González wrote:
My name is Chema González and I'm working on pcapd, a libpcap multiplexer daemon. I'm a little puzzled by the fact that the implementation of libpcap over BPF hardcodes 32KB kernel buffers. pcap_open_live() currently sets the kernel (and user-level) buffers to 32KB (or 16KB, 8KB, 4KB, until something works), and just immediately avoids the user modifying it by BIOCSETIF'ing. So my question is whether there is any reason for not exporting the kernel buffer size to the libpcap user (apart from the fact that this may be a feature unsupported by other packet filters), or to not permitting him setting its own.
Unfortunately, as "pcap_open_live()" is defined as opening the capture - which includes binding it to a device - and as you can't set the buffer size after you've bound to a device, the only way to export the buffer size (if by that you mean letting the user *set* it; merely telling them what it is doesn't help them if they want more) is to have it as an argument in the open call. It's actually *easier* to set it in some other OSes - for example, on those OSes that implement packet capture with sockets and that support setting the buffer size on a socket (Linux, possibly Irix if it lets you set the buffer size), you can set it at any time, and WinPcap also lets you set it. On other OSes (for example, Solaris, I think) you can't set it at all, in which case we could just ignore attempts to set it
As an potential solution, libpcap could read the default kernel BPF buffer size from the kernel state, and start setting the buffer size to that number instead of 32KB. In any case, is there any reason for 32KB? Seems kinda small to me. (While it's true that they still go with default 4KB buffers, modern FreeBSD OSs come with a maximum of 512KB.)
If they go with default 4KB buffers, starting the buffer size with the default rather than 32K makes the problem worse, not better. We'd have to read the *maximum* size (if the OS lets you do that), or, as per my suggestion previously, start at 2^31 - 1, if we want to have libpcap hard-wired to use the maximum size. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Re: Libpcap on BPF Guy Harris (Sep 11)