[Snort-devel] R: [tcpdump-workers] Re: Re: [Ethereal-dev] Re: Fwd: kyxtech: freebsd outsniffed by wintendo !!?!?

Loris Degioanni loris at ...153...
Mon Dec 11 04:49:48 EST 2000

> On 2000-12-08 00:38 -0800, Guy Harris <gharris at ...148...> wrote:
> > (Both FreeBSD and OpenBSD have the maximum buffer size for BPF as
> > in the top of the CVS tree; NetBSD still has it as 32K.)
> You can change both the default and maximum BPF buffer sizes at
> run time (affecting an subsequent open()) in FreeBSD:
> # sysctl -w debug.bpf_bufsize=32768 debug.bpf_maxbufsize=4194304
> makes the default buffer size 32K and limits the size to 4MB, for
> example.

Notice however that in pcap-bpf.c, pcap_open_live()  forces the buffer
size to 32K through an IOCTL. This means that the sysctl is overridden
if BPF is used throug libpcap.


More information about the Snort-devel mailing list