[Oisf-users] EXTERNAL: Re: [TIL] pcap.buffer-size yaml setting unused with Myricom Sniffer10g
Victor Julien
lists at inliniac.net
Tue May 19 14:19:17 UTC 2015
On 05/19/2015 04:15 PM, Rasmor, Zachary R wrote:
> I have updated the Myricom wiki page with the information below, as well as
> additional information that we've gathered from our testing.
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Myricom
Thanks a lot Zach!
Cheers,
Victor
> ________________________
> Zach Rasmor
> Email: zachary.r.rasmor at lmco.com
> Office: 301.240.6116
>
> -----Original Message-----
> From: oisf-users-bounces at lists.openinfosecfoundation.org
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of
> Victor Julien
> Sent: Tuesday, May 19, 2015 3:25 AM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: EXTERNAL: Re: [Oisf-users] [TIL] pcap.buffer-size yaml setting
> unused with Myricom Sniffer10g
>
> Hi Zach,
>
> On 05/15/2015 08:15 PM, Rasmor, Zachary R wrote:
>> This will only be relevant to folks using Myricom cards, but I wanted
>> to share something I learned today.
>>
>>
>>
>> As I'm sure you know, Myricom provides a libpcap wrapper around its
>> native SNF APIs. I had been unsure for a while how the
>> pcap.buffer-size YAML setting was used within SNF. My testing yielded
>> no noticeable difference in Suricata when adjusting this value,
>> however I wanted to be sure. I tracked this value to a call to
>> pcap_set_buffer_size (a libpcap
>> API) within the Suricata source code. I then began an exchange with
>> Myricom support regarding how SNF handles the pcap_set_buffer_size()
>> API. Here was the response:
>>
>>
>>
>> "The libpcap interface to Sniffer10G ignores the
>> pcap_set_buffer_size() value. The call to snf_open() uses zero as the
>> dataring_size which informs the Sniffer library to use a default value
>> or the value from the SNF_DATARING_SIZE environment variable."
>>
>>
>>
>> They also cited a pull request to add support for setting the
>> SNF_DATARING_SIZE using the value from pcap_set_buffer_size().
>>
>>
>>
>> "I've submitted this change to the libpcap maintainers
>> at
>> https://github.com/the-tcpdump-group/libpcap/compare/master...myri:mas
>> ter as pull request 435."
>>
>>
>>
>> In summary, the pcap.buffer-size YAML setting is currently ignored
>> when using Myricom SNF, however a future release should provide
>> support for using the pcap.buffer-size to set the SNF_DATARING_SIZE
>> from within the YAML file instead of an environment variable.
>>
>>
>
> Could you update this wiki page with this insight?
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Myricom
>
> Thanks!
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list