[Snort-devel] R: [tcpdump-workers] Re: Re: [Ethereal-dev] Re: Fwd: kyxtech: freebsd outsniffed by wintendo !!?!?

Loris Degioanni loris at ...153...
Mon Dec 11 04:49:48 EST 2000


> On 2000-12-08 00:38 -0800, Guy Harris <gharris at ...148...> wrote:
> > (Both FreeBSD and OpenBSD have the maximum buffer size for BPF as
512KB
> > in the top of the CVS tree; NetBSD still has it as 32K.)
>
> You can change both the default and maximum BPF buffer sizes at
> run time (affecting an subsequent open()) in FreeBSD:
>
> # sysctl -w debug.bpf_bufsize=32768 debug.bpf_maxbufsize=4194304
>
> makes the default buffer size 32K and limits the size to 4MB, for
> example.

Notice however that in pcap-bpf.c, pcap_open_live()  forces the buffer
size to 32K through an IOCTL. This means that the sysctl is overridden
if BPF is used throug libpcap.

Loris.









More information about the Snort-devel mailing list