tcpdump allocates more mbufs than allowed by bpf(4)?
Garrett Cooper
yanegomi at gmail.com
Sat Apr 16 06:46:37 UTC 2011
Hello,
I did some poking around tcpdump for work today, and while doing
that I ran into this item...
$ sysctl net.bpf
net.bpf.zerocopy_enable: 0
net.bpf.maxinsns: 512
net.bpf.maxbufsize: 524288
net.bpf.bufsize: 4096
Before I start tcpdump:
$ vmstat -m | grep BPF
BPF 26 12K - 127 16,128,512,4096
After I start tcpdump:
$ vmstat -m | grep BPF
BPF 30 1036K - 127 16,128,512,4096
The value set is of course 2*net.bpf.maxbufsize, not 32kB like one
of the authors did in [1]. I was wondering why this particular limit
isn't being strictly adhered to at the kernel level, except when
dealing with the BPF, or if this maximum buffer size is designed to be
a per buffer length. It looks like the latter based on what I saw in
/sys/net/bpf_buffer.c, but I just wanted to clarify that that was the
intended effect.
Thanks!
-Garrett
1. https://github.com/mcr/libpcap/commit/e154e275c22d803ce187e97dfbef19a26707c0ed
More information about the freebsd-net
mailing list