tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Libpcap on BPF

From: Guy Harris <guy () alum mit edu>
Date: Thu, 11 Sep 2003 02:05:46 -0700
(Digging up old mail on this because of a gripe on one of the FreeBSD
mailing lists.)

On Fri, Jun 14, 2002 at 05:29:23PM -0700, José María González wrote:

My name is Chema González and I'm working on pcapd, 
a libpcap multiplexer daemon. 

I'm a little puzzled by the fact that the 
implementation of libpcap over BPF hardcodes 32KB 
kernel buffers. pcap_open_live() currently sets 
the kernel (and user-level) buffers to 32KB (or 
16KB, 8KB, 4KB, until something works), and just 
immediately avoids the user modifying it by 
BIOCSETIF'ing. 

So my question is whether there is any reason for 
not exporting the kernel buffer size to the libpcap 
user (apart from the fact that this may be a feature 
unsupported by other packet filters), or to not 
permitting him setting its own. 


Unfortunately, as "pcap_open_live()" is defined as opening the capture -
which includes binding it to a device - and as you can't set the buffer
size after you've bound to a device, the only way to export the buffer
size (if by that you mean letting the user *set* it; merely telling them
what it is doesn't help them if they want more) is to have it as an
argument in the open call.

It's actually *easier* to set it in some other OSes - for example, on
those OSes that implement packet capture with sockets and that support
setting the buffer size on a socket (Linux, possibly Irix if it lets you
set the buffer size), you can set it at any time, and WinPcap also lets
you set it.  On other OSes (for example, Solaris, I think) you can't set
it at all, in which case we could just ignore attempts to set it


As an potential solution, libpcap could read the 
default kernel BPF buffer size from the kernel 
state, and start setting the buffer size to that 
number instead of 32KB. 

In any case, is there any reason for 32KB? Seems 
kinda small to me. (While it's true that they still 
go with default 4KB buffers, modern FreeBSD OSs come 
with a maximum of 512KB.) 


If they go with default 4KB buffers, starting the buffer size with the
default rather than 32K makes the problem worse, not better.  We'd have
to read the *maximum* size (if the OS lets you do that), or, as per my
suggestion previously, start at 2^31 - 1, if we want to have libpcap
hard-wired to use the maximum size.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: