Hi,

I just have a question: why is there so much _resistance_ to the
possibility that you might actually improve BPF's performance by
changing the implementation to use a ring buffer?

Yes, the paper cited does more to show that Linux's packet-capturing
facilities are inadequate than it does to show that BPF is inadequate.
Since NetBSD is not included in the results and the ring buffer is not
implemented in FreeBSD, we won't know or even have hints. However, the
paper does show how changing an implementation to a ring buffer +
device polling _can_ drastically improve performance without changing
the buffer's size.

I think the possibility of improving BPF to get higher packet capture
rates _even_ with small buffers is worthwhile in itself. Doubling,
tripling, quadrupling, and increasing the buffer size by even higher
factors may very well improve packet capture rates, but is anyone
interested in doing more with less (a more elegant/better designed
solution)? Since one poster pointed out that embedded systems won't
necessarily have 2 MB just to dedicate to packet capturing, I would
think there would be some motivation to at least explore alternatives.
If it turns out be a lame duck, well at least no one can claim it
wasn't even attempted. Is it heresy to think that you can actually
improve NetBSD without just throwing more hardware resources (memory)
at the problem?