Jonathan Stone <jonathan@DSG.Stanford.EDU> writes:
>>We can change our bpf buffersize with sysctl?
>
> Not in a stock 1.6ZF system, no; seems I never checked that in.

Please do. :)

> Also, libpcap's bpf backend (pcap-bpf.c) does a binary search to find
> the effective maximum bpf buffer size. I've occasionally increased
> libpcap's PCAP_BPF_MAX_BUFSIZ as high as 4 Mbytes.
>
> Any comments, pro or con, on that?

I do know that Marcus Ranum et all at NFR found they needed much
larger buffer sizes to get good capture characteristics, so being able
to do that from sysctl is a plus. I think they also made some other
changes to bpf but I don't really remember the details -- perhaps
there is a paper on them.

-- 
Perry E. Metzger		perry@piermont.com