El jue., 3 oct. 2019 a las 4:28, Guy Harris (<ghar...@sonic.net>) escribió:
>
> We might want to have another API to supply the *minimum* buffer size. For
> BSD-style BPF, we could use BPF_MINBUFSIZE if it's defined in <net/bpf.h>.
>
That sounds good. Should we still allow passing buffers below that
minimum with the original set_buffer_size?
> >> At least in macOS, and possibly in other BSD-flavored OSes, the sysctl
> >> variable debug.bpf_maxbufsize will indicate the maximum size.
> >
> > I'm not sure how to handle this.
> > Buffer size can only be set before activation, but filters can be set
> > at any point.
>
> That's the maximum *buffer* size. We can just return that value as of the
> time when the pcap_create() is done. Yes, there's a risk that it might be
> changed after it's fetched, but the chances of that are probably small; we
> could have a maximum_buffer_size_op pointer, and call
> p->maximum_buffer_size_op(p) rather than fetching the value from the pcap_t.
>
> The maximum *filter* size is, at least in macOS High Sierra, hardwired at 512
> instructions.
>
> The two sizes are independent; as far as I know, they're independent in Linux
> as well (filters aren't part of PF_PACKET, they're part of the socket
> mechanism) and in all other in-kernel capture mechanisms.
>
> > From the user POV, I wouldn't like my buffers to be limited by the
> > maximum size of filters
>
> They wouldn't be.
>
> > However, another user may attempt to set it after using a buffer
> > exceeding this, and it would fail in mysterious ways.
>
> If a user were to change debug.bpf_maxbufsize, that would only affect
> *subsequent* attempts to set up a BPF device; it wouldn't affect existing
> devices.
>
> > The only solution I came up with is to always use software filters
> > when the buffer is too big.
>
> No need to use software filters in that case.
>
> And I think we *already* use software filters if the *filter* is too big.
>
Yes, I now realize Mac OSX mechanism for capture is also called BPF.
Since it was brought up that BPF had buffer size issues, I assumed we
were talking about somehow filtering and buffer size interacting.
It did sound strange, but I'm more of a neophyte here so I just
assumed everyday we learn something new :)
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
