[Oisf-users] EXTERNAL: Re: [TIL] pcap.buffer-size yaml setting unused with Myricom Sniffer10g

Rasmor, Zachary R zachary.r.rasmor at lmco.com
Tue May 19 14:15:33 UTC 2015

Hi Victor,

I have updated the Myricom wiki page with the information below, as well as
additional information that we've gathered from our testing.

Hope it helps.

Zach Rasmor
Email: zachary.r.rasmor at lmco.com
Office: 301.240.6116

-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org
[mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of
Victor Julien
Sent: Tuesday, May 19, 2015 3:25 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: EXTERNAL: Re: [Oisf-users] [TIL] pcap.buffer-size yaml setting
unused with Myricom Sniffer10g

Hi Zach,

On 05/15/2015 08:15 PM, Rasmor, Zachary R wrote:
> This will only be relevant to folks using Myricom cards, but I wanted 
> to share something I learned today.
> As I'm sure you know, Myricom provides a libpcap wrapper around its 
> native SNF APIs. I had been unsure for a while how the 
> pcap.buffer-size YAML setting was used within SNF. My testing yielded 
> no noticeable difference in Suricata when adjusting this value, 
> however I wanted to be sure. I tracked this value to a call to 
> pcap_set_buffer_size (a libpcap
> API) within the Suricata source code. I then began an exchange with 
> Myricom support regarding how SNF handles the pcap_set_buffer_size() 
> API. Here was the response:
> "The libpcap interface to Sniffer10G ignores the 
> pcap_set_buffer_size() value.  The call to snf_open() uses zero as the 
> dataring_size which informs the Sniffer library to use a default value 
> or the value from the SNF_DATARING_SIZE environment variable."
> They also cited a pull request to add support for setting the 
> SNF_DATARING_SIZE using the value from pcap_set_buffer_size().
>                 "I've submitted this change to the libpcap maintainers 
> at 
> https://github.com/the-tcpdump-group/libpcap/compare/master...myri:mas
> ter as pull request 435."
> In summary, the pcap.buffer-size YAML setting is currently ignored 
> when using Myricom SNF, however a future release should provide 
> support for using the pcap.buffer-size to set the SNF_DATARING_SIZE 
> from within the YAML file instead of an environment variable.

Could you update this wiki page with this insight?


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 11767 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150519/ac080aaa/attachment-0002.bin>

More information about the Oisf-users mailing list