[Bro-Dev] snaplen and drops

Martin Holste mcholste at gmail.com
Fri Nov 4 05:39:04 PDT 2011

> This is interesting. Could your result be related to the small default buffer size in libpcap (the 2MB which have been problematic with Bro if a snaplen of 64 Kb is used?)
> Can you remember how your setup looked like?

The setup was a stock Ubuntu 10.04 LTS on both Intel and Broadcom
nics, and the behavior was observed with any libpcap-based
application, including tcpdump.

> Hmm, I'm not sure that I understand. What do you mean with IRQ? Hardware Interrupts originated from the NIC?
> I can see the following things that can influence the capturing performance:
> 1.) hardware interrupts
> 2.) software interrupts == availability of kernel threads to pull data into userspace
> 3.) packet copy operations
> 4.) packet exchange between kernel and userspace (e.g. mmap)
> 5.) synchronization between kernel and userspace (e.g. poll() on a socket)
> 1.) + 2.) are handled by the kernel, and to the best of my knowledge neither libpcap nor libdaq should have any influence on them.

This is where PF_RING and AF_PACKET come in.  They alter the way in
which polling takes place at the kernel level to save hardware

> When I'm back at our lab in the next week, I'll try to find some time to do some experiments.  If I can reproduce your observations, maybe I can find an explanation for the differences.

That would be great!  I'm very sure that AF_PACKET performs better
than stock libpcap on Ubuntu 10.04 LTS, but I can only make these
guesses as to why.

More information about the bro-dev mailing list