BPF problems on FreeBSD 7.0
Bruce M. Simpson
bms at FreeBSD.org
Mon Jul 14 13:44:35 UTC 2008
Robin Sommer wrote:
> Hi all,
> we're seeing some strange effects with our libpcap-based application
> (the Bro network intrusion detection system) on a FreeBSD 7-RELEASE
> system. As the application has always been running fine on 6.x,
> we're wondering whether this might be triggered by any of the
> changes that went into 7.
> I'm wondering whether anybody here has seen something similar or
> might have an idea where to start looking for the cause. Any ideas?
One place to start might be: netstat -B output in 7.x (I *think* this
got MFCed), this will let us see what the drop count is for the Bro
process, and what the flags are for the open BPF descriptors in the system.
I'm not hot on current BPF internals, but I hazard a guess this is
related to BPF descriptor buffering -- an area where there have been
changes, some of which I've eyeballed.
More information about the freebsd-net