Subject: Re: packet capturing
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Perry E. Metzger <email@example.com>
Date: 01/20/2004 14:51:24
Jonathan Stone <jonathan@DSG.Stanford.EDU> writes:
>>We can change our bpf buffersize with sysctl?
> Not in a stock 1.6ZF system, no; seems I never checked that in.
Please do. :)
> Also, libpcap's bpf backend (pcap-bpf.c) does a binary search to find
> the effective maximum bpf buffer size. I've occasionally increased
> libpcap's PCAP_BPF_MAX_BUFSIZ as high as 4 Mbytes.
> Any comments, pro or con, on that?
I do know that Marcus Ranum et all at NFR found they needed much
larger buffer sizes to get good capture characteristics, so being able
to do that from sysctl is a plus. I think they also made some other
changes to bpf but I don't really remember the details -- perhaps
there is a paper on them.
Perry E. Metzger firstname.lastname@example.org