Subject: Re: packet capturing
To: Perry E. Metzger <>
From: Darren Reed <>
List: tech-kern
Date: 01/21/2004 17:42:10
On Tue, 20 Jan 2004, Perry E. Metzger wrote:

> Jonathan Stone <jonathan@DSG.Stanford.EDU> writes:
> > We could make bpf_bufsize sysctl'able; or raise the default to
> > something that reduces bpf drop at high packet rate (somewhere between
> > 128 and 512k); or both.
> >
> > Which of these would you support?
> Both. The default probably should be jacked up only on larger memory
> machines though (which is an easy calculation during boot...)

None of this really needs doing.

There is an ioctl - BIOCSBLEN - that applications can use to set the
buffer size used for BPF.

What needs changing is BPF_MAXBUFSIZE (sys/net/bpf.h) from 32k to some
larger value - quite possibily even as high as 1Mb.  If an application
tries to set a 1MB buffer and fails (kernel says "too big") then it
should try again with a smaller size...

Maybe it should be this that is sysctl'able if you're really desperate
to add an interfaace to the BPF buffer size in sysctl.

I'm obviously taking the stance that if a program is going to expect
to be capturing a lot of packets then it should setup bpf appropriately
rather than expect it to be ready.

Is that all programs that use bpf?  No.