[Oisf-devel] [PATCH 0/2] lighten Packet structure v2
go.ph1g at gmail.com
go.ph1g at gmail.com
Thu Nov 18 14:13:21 UTC 2010
On Nov 18, 2010 8:35am, Eric Leblond <eleblond at edenwall.com> wrote:
> Hi,
> Le jeudi 18 novembre 2010 à 14:30 +0100, Victor Julien a écrit :
> > Robert Kerr wrote:
> > > On Tue, 2010-11-16 at 23:00 +0100, Eric Leblond wrote:
> > >> Hi,
> > >
> > >> Here's a new version of the patchset which mainly does a renaming
> > >> of the function and increase the maximum packet size to 1514.
> > >
> > > I don't know if this is possible without adding to the complexity of
> > > things a lot, but could this max packet size be configured at runtime?
> > >
> > > It seems clear that the value should be either the same as or slightly
> > > higher than the MTU of the link suricata is monitoring. The problem is
> > > this may not be known at compile time - by fixing at 1514 you optimise
> > > for ethernet, but there are various other possibilities. SONET has an
> > > MTU around the 4000 mark, as does FDDI, and ethernet with jumbo frames
> > > is vendor specific but often around the 9000 mark.
> >
> > I agree with you Robert, this would be very useful.
> I will try to do something, this is really true that recompiling
> suricata to have good performance on jumbo frame is not something
> exiting.
> BR,
> --
> Éric Leblond, eleblond at edenwall.com
> Téléphone : +33 1 40 24 65 04, Fax : +33 9 57 21 48 75
> EdenWall, http://www.edenwall.com
Is it possible to check the MTU on the listening interface and set it that
way? I don't know if all devices support it or whether it would be headache
to manage cross platform. I can see where pcap-snoop has a method to get
the MTU for IRIX interfaces.
http://www.opensource.apple.com/source/libpcap/libpcap-18/libpcap/pcap-snoop.c
#ifdef SIOCGIFMTU
/*
* XXX - IRIX appears to give you an error if you try to set the
* capture length to be greater than the MTU, so let's try to get
* the MTU first and, if that succeeds, trim the snap length
* to be no greater than the MTU.
*/
(void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
if (ioctl(fd, SIOCGIFMTU, (char *)&ifr) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "SIOCGIFMTU: %s",
pcap_strerror(errno));
goto bad;
}
/*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20101118/1eed3764/attachment-0002.html>
More information about the Oisf-devel
mailing list