[EMAIL PROTECTED]: I have two questions that concern enhancing the freebsd packet capture. I am looking into doing some source code changes for bpf, libpcap, and the kernel, if necessary, to increase the performance of packet capture for a custom sniffer on a loaded network. Now what I read was increasing the bpf buffer size to 256K rather than the default 32K. Can we increase this more? Can you please help me or rather point me in the right direction. Question 1: It I want to increase the buffer size of the bpf which #define would I have to change? I found a few BUF variables. The reason is that I want to sniff on a loaded 100Mbs network without dropping any packets. I found these variables: bpf.c:#define BPF_BUFSIZE (MCLBYTES-8) bpf.c:#define BPF_BUFSIZE 4096 bpf.h:#define BPF_MAXBUFSIZE 0x8000 bpf.h:#define BPF_MINBUFSIZE 32 My guess is that it is the #define BPF_MINBUFSIZE 32 because I read that the default buffer is 32K and I want to change it to 256K. Is this the right variable to change? or do I have to change code of libpcap files: pcap-enet.c:#define BUFSPACE (4*1024) pcap-nit.c:#define BUFSPACE (4*CHUNKSIZE) pcap-pf.c:#define BUFSPACE (200 * 256) pcap-snit.c:#define BUFSPACE (4*CHUNKSIZE) pcap.h:#define PCAP_ERRBUF_SIZE 256 Question 2: It seems after my testing if you insert a very large bpf filter rule to the bpf device, it breaks. My testing involved filtering in a few services/ports and external traffic to and from about 20 different ips and to exclude any internal traffic of the 20, which I can't subnet because they are not grouped together. The filter rule grows extreming large, which I thinks overruns the stack or address space for bpf. Is there any default variable that can increase the actucal filter rule or filter rule buffer? My collegue, hack the number of instructions that is passed to pcap, but it still breaks it. Can you point me where to look in order to increase the filter rule. Thanks, Carlos R. Garcia To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
