Re: [tcpdump-workers] Max OS-X issues: read privledges / bpf buffer
Hi, On Fri, Sep 03, 2004 at 11:41:42AM -0700, Guy Harris wrote: > >One last thing, I noticed in some other mails this month that > >eliminating timestamping will increase performance of bpf. I don't use > >this feature of bpf, is there a way for me to turn it off in Darwin? > > I suspect they either said, or at least meant, "increase performance of > packet capture" (referring to the general process, not specifically to > BPF) or "*would* increase performance of BPF"; BPF has no mechanism to > avoid time stamping packets. Commenting out the call to microtime() in bpf.c would be one trivial way to go about doing this. On FreeBSD, you could sacrifice accuracy for lower execution time by using getmicrotime(). Or you could add a bpf ioctl to toggle this behaviour for a particular bpf instance. BMS - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Bug Fix in tcpdump 3.8.3
On Sep 3, 2004, at 3:48 AM, Sebastien Vincent wrote: So I made changes into ./tcpdump.c and it now works fine. Checked in. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Max OS-X issues: read privledges / bpf buffer
(Crap added to avoid this retransmission, with the right "From:" address this time, being seen as a duplicate. Now is the time for all good parties to come to the aid of man.) Eric St.John wrote: I'm trying to use libpcap in Darwin (uses bpf). In order to capture the packets, I must have read acess to the /dev/bpf* files. I can chmod these, but as soon as I reboot their privledges are reset! Any ideas? One idea would be to port the current FreeBSD devfs to Darwin; that version, unlike the Darwin one which is based on an older FreeBSD devfs, has a configuration file, letting you control the initial permissions, ownership, etc. on devices from a file (that's done by the devfs command). If you do that, submit the work in a bug to Apple. Another idea would be to see where devfs gets mounted, and, if it's done in one of the rc files or something run from one of the rc files, put in a chmod or chown after that point. I would also like to get a larger bpf buffer size. I call ioctl(fd, BIOCSBLEN, (caddr_t)&v); with v initially equal to 64 MB. After the call v is changed to 32 K and a call with BIOCGBLEN confirms this. $ uname -sr Darwin 7.5.0 $ sysctl debug.bpf_maxbufsize debug.bpf_maxbufsize: 32768 Is there anything I can do (short of recompiling Darwin) to get around this? Use "sysctl" to increase "debug.bpf_maxbufsize" (that's actually a generic BSD answer, but some of the other BSDs might have increased the maximum). One last thing, I noticed in some other mails this month that eliminating timestamping will increase performance of bpf. I don't use this feature of bpf, is there a way for me to turn it off in Darwin? I suspect they either said, or at least meant, "increase performance of packet capture" (referring to the general process, not specifically to BPF) or "*would* increase performance of BPF"; BPF has no mechanism to avoid time stamping packets. - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Max OS-X issues: read privledges / bpf buffer size
I'm trying to use libpcap in Darwin (uses bpf). In order to capture the packets, I must have read acess to the /dev/bpf* files. I can chmod these, but as soon as I reboot their privledges are reset! Any ideas? I would also like to get a larger bpf buffer size. I call ioctl(fd, BIOCSBLEN, (caddr_t)&v); with v initially equal to 64 MB. After the call v is changed to 32 K and a call with BIOCGBLEN confirms this. Is there anything I can do (short of recompiling Darwin) to get around this? I am trying to capture at sustained speeds of 80Mbps - 320Mbps. With these speeds I need a larger buffer for when the OS wanders off to do other stuff. One last thing, I noticed in some other mails this month that eliminating timestamping will increase performance of bpf. I don't use this feature of bpf, is there a way for me to turn it off in Darwin? Thanks, Eric - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Bug Fix in tcpdump 3.8.3
Hello.
I found a bug in current tcpdump (3.8.3).
This bug concern the use of the flags -x/xx and -X/XX.
Wheither you use x's or X's flags the output is the same. It
print raw data in hex and ascii.
The man says :
-x's : hex print
'X's : hex + ascii print
So I made changes into ./tcpdump.c and it now works fine.
My system is gentoo 2004.2 under i386.
Here is the diff :
[EMAIL PROTECTED] shinmei $ diff -u tcpdump.c.old tcpdump.c
--- tcpdump.c.old 2004-09-03 14:37:24.944016224 +0400
+++ tcpdump.c 2004-09-03 14:36:34.957615312 +0400
@@ -585,7 +585,6 @@
break;
case 'X':
- ++xflag;
++Xflag;
break;
@@ -1020,7 +1019,7 @@
/*
* Include the link-layer header.
*/
- default_print(sp, h->caplen);
+ hex_print("\n\t", sp, h->caplen);
} else {
/*
* Don't include the link-layer header - and if
@@ -1028,9 +1027,28 @@
* print nothing.
*/
if (h->caplen > hdrlen)
- default_print(sp + hdrlen,
+ hex_print("\n\t", sp + hdrlen,
h->caplen - hdrlen);
}
+ } else if (Xflag) {
+/*
+ * Print the raw packet data.
+ */
+if (Xflag > 1) {
+/*
+ * Include the link-layer header.
+ */
+ascii_print("\n\t", sp, h->caplen);
+} else {
+/*
+ * Don't include the link-layer header - and if
+ * we have nothing past the link-layer header,
+ * print nothing.
+ */
+if (h->caplen > hdrlen)
+ascii_print("\n\t", sp + hdrlen,
+h->caplen - hdrlen);
+}
}
putchar('\n');
[EMAIL PROTECTED] shinmei $
Hope I can help :)
Sebastien Vincent
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
