[Bro-Dev] snaplen and drops
Robin Sommer
robin at icir.org
Fri Oct 28 08:56:35 PDT 2011
On Fri, Oct 28, 2011 at 10:49 +0200, you wrote:
> If you want to use the new API and do not want to drop support for
> libpcap < 1.0.0, you have to check the pcap version in cmake and set
> some define for old versions (e.g. -DOLD_PCAP). Then you can have
> something like the following in PktSrc.cc:
Thanks for the code example, I hadn't really looked at the new API
yet. I'm not that concerned about dropping support for libpcap < 1.
The part I don't like is how the new parameter "buffer size" impacts
behaviour of existing programs without given the user a hook to change
the default. That doesn't seem right to me.
Anyways, for Bro is probably makes most sense to address this as a
part of a larger piece we already have on our to-do list: overhauling
Bro's code for packet aquisition. It's in pretty bad shape right now:
(1) the main packet loop still works around problems with non-blocking
mode in older libpcap/OS versions; I would hope that's not necessary
anymore. (2), we don't have a nice interface for using other packet
sources than libpcap; we need an abstraction there. And finally (3),
if we got an interface in to exploit further NIC-level features, like
load-balancing, that would be pretty cool.
Not sure when we somebody will start working on all this though.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list