[Snort-users] BPF/libpcap performance, was Re: Seg Fault

Jeff Nathan jeff at ...950...
Tue Feb 26 18:21:01 EST 2002

Erek Adams wrote:
> On Tue, 26 Feb 2002, Chris Green wrote:
> > If you are running linux on your IDS stuff, its worth it for hearing
> > about the things they do to turbo packet stuff now and then.
> Naaa...  I'm not quite that brave yet.
> > I'm sure there are things like memcaps for bpf and the like to set and
> > I'd love to see a good technical paper other than the winpcap one on
> > pcap performance's as well as tuning.
> Hrm...
> > I'm also pretty sure one of the security websites would even pay a bit
> > for an article on tuning of pcap performance.
> >
> > Most everything I've seen in the past few years ranks right above
> > voodoo.
> Hey, I'm from Louisiana so I gotta believe in voodoo!  :)
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net

Be forewarned, I'm making a stab in the dark here.

BSD IP stacks store packets in clusters of mbufs which are sized

I looked through the OpenBSD i386 headers and the size of the default
mbuf is 256 and the cluster size is 2048 bytes, which is large enough to
store an entire Ethernet frame.  Under OpenBSD (and I suspect all the
BSDs), you can change the number of clusters available to your stack in
your kernel configuration.  A fairly high amount of clusters might be
something like 8192 if you're REALLY worried about running out.  I
belive the default value at this point is 2048.

How does this end up effecting bpf... that's another story altogether 
(I have pretty much *no* idea).  Your mileage may vary.


http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

More information about the Snort-users mailing list