[Oisf-users] [TIL] pcap.buffer-size yaml setting unused with Myricom Sniffer10g

Erich Lerch erich.lerch at gmail.com
Fri May 15 20:52:23 UTC 2015 

Thanks a lot for this information, Zach!
I was already wondering about it, as my tests showed the same: no
noticeable difference when changing pcap.buffer-size.
So now I definitely know where I won't have to try to tweak...

Erich


On 15.05.2015 20:15, Rasmor, Zachary R wrote:
> Hi all,
> 
>  
> 
> This will only be relevant to folks using Myricom cards, but I wanted to
> share something I learned today…
> 
>  
> 
> As I’m sure you know, Myricom provides a libpcap wrapper around its
> native SNF APIs. I had been unsure for a while how the pcap.buffer-size
> YAML setting was used within SNF. My testing yielded no noticeable
> difference in Suricata when adjusting this value, however I wanted to be
> sure. I tracked this value to a call to pcap_set_buffer_size (a libpcap
> API) within the Suricata source code. I then began an exchange with
> Myricom support regarding how SNF handles the pcap_set_buffer_size()
> API. Here was the response:
> 
>  
> 
> “The libpcap interface to Sniffer10G ignores the pcap_set_buffer_size()
> value.  The call to snf_open() uses zero as the dataring_size which
> informs the Sniffer library to use a default value or the value from the
> SNF_DATARING_SIZE environment variable.”
> 
>  
> 
> They also cited a pull request to add support for setting the
> SNF_DATARING_SIZE using the value from pcap_set_buffer_size().
> 
>  
> 
>                 “I've submitted this change to the libpcap maintainers
> at
> https://github.com/the-tcpdump-group/libpcap/compare/master...myri:master as
> pull request 435.”
> 
>  
> 
> In summary, the pcap.buffer-size YAML setting is currently ignored when
> using Myricom SNF, however a future release should provide support for
> using the pcap.buffer-size to set the SNF_DATARING_SIZE from within the
> YAML file instead of an environment variable.
> 
>  
> 
> Hope this helps!
> 
>  
> 
> Zach
> 
> *________________________*
> 
> *Zach Rasmor*
> 
> Senior Software Engineer
> 
> Lockheed Martin CIRT
> 
> 700 N Frederick Ave | Gaithersburg, MD 20879
> 
> Email: zachary.r.rasmor at lmco.com <mailto:zachary.r.rasmor at lmco.com>
> 
> Office: 301.240.6116
> 
>  
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>

More information about the Oisf-users mailing list