[Oisf-users] [TIL] pcap.buffer-size yaml setting unused with Myricom Sniffer10g
Erich Lerch
erich.lerch at gmail.com
Fri May 15 20:52:23 UTC 2015
Thanks a lot for this information, Zach!
I was already wondering about it, as my tests showed the same: no
noticeable difference when changing pcap.buffer-size.
So now I definitely know where I won't have to try to tweak...
Erich
On 15.05.2015 20:15, Rasmor, Zachary R wrote:
> Hi all,
>
>
>
> This will only be relevant to folks using Myricom cards, but I wanted to
> share something I learned today…
>
>
>
> As I’m sure you know, Myricom provides a libpcap wrapper around its
> native SNF APIs. I had been unsure for a while how the pcap.buffer-size
> YAML setting was used within SNF. My testing yielded no noticeable
> difference in Suricata when adjusting this value, however I wanted to be
> sure. I tracked this value to a call to pcap_set_buffer_size (a libpcap
> API) within the Suricata source code. I then began an exchange with
> Myricom support regarding how SNF handles the pcap_set_buffer_size()
> API. Here was the response:
>
>
>
> “The libpcap interface to Sniffer10G ignores the pcap_set_buffer_size()
> value. The call to snf_open() uses zero as the dataring_size which
> informs the Sniffer library to use a default value or the value from the
> SNF_DATARING_SIZE environment variable.”
>
>
>
> They also cited a pull request to add support for setting the
> SNF_DATARING_SIZE using the value from pcap_set_buffer_size().
>
>
>
> “I've submitted this change to the libpcap maintainers
> at
> https://github.com/the-tcpdump-group/libpcap/compare/master...myri:master as
> pull request 435.”
>
>
>
> In summary, the pcap.buffer-size YAML setting is currently ignored when
> using Myricom SNF, however a future release should provide support for
> using the pcap.buffer-size to set the SNF_DATARING_SIZE from within the
> YAML file instead of an environment variable.
>
>
>
> Hope this helps!
>
>
>
> Zach
>
> *________________________*
>
> *Zach Rasmor*
>
> Senior Software Engineer
>
> Lockheed Martin CIRT
>
> 700 N Frederick Ave | Gaithersburg, MD 20879
>
> Email: zachary.r.rasmor at lmco.com <mailto:zachary.r.rasmor at lmco.com>
>
> Office: 301.240.6116
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
More information about the Oisf-users
mailing list