Subject: Re: packet capturing
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Darren Reed <>
List: tech-kern
Date: 01/21/2004 18:00:40
And does NetBSD, by default, ship with polling drivers or irq based ?

Personally, I read the paper as being an analysis of the performance
of packet capture using BPF (and then, using the current BPF compared
to enhancing it with a circular buffer) type tools with network drivers
that used both poll and non-polled I/O as well as a look at how different
buffer management within the kernel for BPF affects performance.

Currently NetBSD does not allow polled I/O and if you were to look at
that paper, regardless of what your specific case might be, it should
be somewhat obvious that in order to implement an efficient and somewhat
reliable packet capturing device is not something that NetBSD currently
solves well.  That said, even if your x-GHz PC can capture full speed
100BT now, I would hope that you would realise that tis paper outlines
areas in which changes can be made that allow said PCs operating as an
IDS of sorts to spend more time doing analysis work and less time doing
the "capture packet".

That there are serious problems with "standard" BPF performance is well
known since NFR looked at using it for its first range of products some
years ago now.  To sit back and say "my super-fast PC has no problem"
is disingenious and is ignoring real problems, both in NetBSD's I/O
handling and in BPF's buffer management.  That you are not affected
is fine for you, but people building embedded systems generally do not
have the luxury of using "current speed" CPUs, much the same as those
who use old PCs for firewall/IDS tasks.