[Oisf-users] [TIL] pcap.buffer-size yaml setting unused with Myricom Sniffer10g

Rasmor, Zachary R zachary.r.rasmor at lmco.com
Fri May 15 18:15:20 UTC 2015 

Hi all,

 

This will only be relevant to folks using Myricom cards, but I wanted to
share something I learned today.

 

As I'm sure you know, Myricom provides a libpcap wrapper around its native
SNF APIs. I had been unsure for a while how the pcap.buffer-size YAML
setting was used within SNF. My testing yielded no noticeable difference in
Suricata when adjusting this value, however I wanted to be sure. I tracked
this value to a call to pcap_set_buffer_size (a libpcap API) within the
Suricata source code. I then began an exchange with Myricom support
regarding how SNF handles the pcap_set_buffer_size() API. Here was the
response:

 

"The libpcap interface to Sniffer10G ignores the pcap_set_buffer_size()
value.  The call to snf_open() uses zero as the dataring_size which informs
the Sniffer library to use a default value or the value from the
SNF_DATARING_SIZE environment variable."

 

They also cited a pull request to add support for setting the
SNF_DATARING_SIZE using the value from pcap_set_buffer_size().

 

                "I've submitted this change to the libpcap maintainers at
https://github.com/the-tcpdump-group/libpcap/compare/master...myri:master as
pull request 435."

 

In summary, the pcap.buffer-size YAML setting is currently ignored when
using Myricom SNF, however a future release should provide support for using
the pcap.buffer-size to set the SNF_DATARING_SIZE from within the YAML file
instead of an environment variable.

 

Hope this helps!

 

Zach

________________________

Zach Rasmor

Senior Software Engineer

Lockheed Martin CIRT

700 N Frederick Ave | Gaithersburg, MD 20879

Email:  <mailto:zachary.r.rasmor at lmco.com> zachary.r.rasmor at lmco.com

Office: 301.240.6116

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150515/9154caa6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 11767 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150515/9154caa6/attachment.bin>

More information about the Oisf-users mailing list