tcpdump mailing list archives
Re: [RFC PATCH] Add new `pcap_set_buffer_size1` API.
From: Mario Rugiero <mrugiero () gmail com>
Date: Thu, 3 Oct 2019 16:30:29 -0300
El jue., 3 oct. 2019 a las 4:28, Guy Harris (<gharris () sonic net>) escribió:
We might want to have another API to supply the *minimum* buffer size. For BSD-style BPF, we could use BPF_MINBUFSIZE if it's defined in <net/bpf.h>.
That sounds good. Should we still allow passing buffers below that minimum with the original set_buffer_size?
At least in macOS, and possibly in other BSD-flavored OSes, the sysctl variable debug.bpf_maxbufsize will indicate the maximum size.I'm not sure how to handle this. Buffer size can only be set before activation, but filters can be set at any point.That's the maximum *buffer* size. We can just return that value as of the time when the pcap_create() is done. Yes, there's a risk that it might be changed after it's fetched, but the chances of that are probably small; we could have a maximum_buffer_size_op pointer, and call p->maximum_buffer_size_op(p) rather than fetching the value from the pcap_t. The maximum *filter* size is, at least in macOS High Sierra, hardwired at 512 instructions. The two sizes are independent; as far as I know, they're independent in Linux as well (filters aren't part of PF_PACKET, they're part of the socket mechanism) and in all other in-kernel capture mechanisms.From the user POV, I wouldn't like my buffers to be limited by the maximum size of filtersThey wouldn't be.However, another user may attempt to set it after using a buffer exceeding this, and it would fail in mysterious ways.If a user were to change debug.bpf_maxbufsize, that would only affect *subsequent* attempts to set up a BPF device; it wouldn't affect existing devices.The only solution I came up with is to always use software filters when the buffer is too big.No need to use software filters in that case. And I think we *already* use software filters if the *filter* is too big.
Yes, I now realize Mac OSX mechanism for capture is also called BPF. Since it was brought up that BPF had buffer size issues, I assumed we were talking about somehow filtering and buffer size interacting. It did sound strange, but I'm more of a neophyte here so I just assumed everyday we learn something new :) _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- [RFC PATCH] Add new `pcap_set_buffer_size1` API. mrugiero (Oct 02)
- Re: [RFC PATCH] Add new `pcap_set_buffer_size1` API. Guy Harris (Oct 02)
- Re: [RFC PATCH] Add new `pcap_set_buffer_size1` API. Mario Rugiero (Oct 02)
- Re: [RFC PATCH] Add new `pcap_set_buffer_size1` API. Mario Rugiero (Oct 02)
- Re: [RFC PATCH] Add new `pcap_set_buffer_size1` API. Guy Harris (Oct 03)
- Re: [RFC PATCH] Add new `pcap_set_buffer_size1` API. Guy Harris (Oct 03)
- Re: [RFC PATCH] Add new `pcap_set_buffer_size1` API. Mario Rugiero (Oct 03)
- Re: [RFC PATCH] Add new `pcap_set_buffer_size1` API. Mario Rugiero (Oct 02)
- Re: [RFC PATCH] Add new `pcap_set_buffer_size1` API. Guy Harris (Oct 02)