[Snort-devel] Re: R: [tcpdump-workers] Re: Re: [Ethereal-dev] Re: Fwd: kyxtech: freebsd outsniffed by wintendo !!?!?

Stefan Esser se at ...151...
Mon Dec 11 16:44:28 EST 2000


On 2000-12-11 10:49 +0100, Loris Degioanni <loris at ...153...> wrote:
> > # sysctl -w debug.bpf_bufsize=32768 debug.bpf_maxbufsize=4194304
> >
> > makes the default buffer size 32K and limits the size to 4MB, for
> > example.
> 
> Notice however that in pcap-bpf.c, pcap_open_live()  forces the buffer
> size to 32K through an IOCTL. This means that the sysctl is overridden
> if BPF is used throug libpcap.

Yes, you are of course correct mentioning that !

The override used to up the buffer size from the kernel default of 4KB to
32KB, but now that the default has become 32KB, we probably should use the
default as is and leave the user the option of choosing a different default
by means of sysctl ...

Regards, STefan



More information about the Snort-devel mailing list