Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
before we change it, should we remember the previous setting and restore it when dumpcap exits? Thus wrote Anders Broman (a.bro...@bredband.net): Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
Hi, 2013/8/23 Anders Broman a.bro...@bredband.net: Bálint Réczey skrev 2013-08-22 23:02: ... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap For people not reading the documentation capturing will be a bit slower or we could put a note on the welcome screen if JIT is not enabled. For persistently enabling JIT we could also mention Sysfsutils [1]. - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. I would prefer not adding features which can be implemented easily with two lines of scripts or with a change in the system configuration. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. I think it is not very kind of them. Cheers, Balint Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders [1] http://linux-diag.sourceforge.net/Sysfsutils.html ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Martin Kaiser Sent: den 23 augusti 2013 10:36 To: wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? before we change it, should we remember the previous setting and restore it when dumpcap exits? Thus wrote Anders Broman (a.bro...@bredband.net): Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
For people not reading the documentation capturing will be a bit slower or we could put a note on the welcome screen if JIT is not enabled. For persistently enabling JIT we could also mention Sysfsutils [1]. I would prefer not adding features which can be implemented easily with two lines of scripts or with a change in the system configuration. Could you provide patches for this alternative solution? Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 10:50 To: Anders Broman Cc: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? Hi, 2013/8/23 Anders Broman a.bro...@bredband.net: Bálint Réczey skrev 2013-08-22 23:02: ... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap For people not reading the documentation capturing will be a bit slower or we could put a note on the welcome screen if JIT is not enabled. For persistently enabling JIT we could also mention Sysfsutils [1]. - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. I would prefer not adding features which can be implemented easily with two lines of scripts or with a change in the system configuration. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. I think it is not very kind of them. Cheers, Balint Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders [1] http://linux-diag.sourceforge.net/Sysfsutils.html ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
2013/8/23 Anders Broman anders.bro...@ericsson.com: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only. Cheers, Balint Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Martin Kaiser Sent: den 23 augusti 2013 10:36 To: wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? before we change it, should we remember the previous setting and restore it when dumpcap exits? Thus wrote Anders Broman (a.bro...@bredband.net): Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
-Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 12:59 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only. Cheers, Balint That's kind of my point after all these years this is still not used by every one. Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Martin Kaiser Sent: den 23 augusti 2013 10:36 To: wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? before we change it, should we remember the previous setting and restore it when dumpcap exits? Thus wrote Anders Broman (a.bro...@bredband.net): Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 12:59 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only. Cheers, Balint That's kind of my point after all these years this is still not used by every one. If you mean there are people not reading the documentation, this is expected. Why would they read the documentation if Wireshark works well enough for them? No one reads all the documentation for all their software. When one executes Wireshark as root on Linux a bit warning points her/him to the documentation explaining why it is a bad idea. IMO running Wireshark as root or not running it as root makes a difference for people regarding security. Since Wireshark is a widely known and respected security related software we can't leave people uninformed in this aspect. IMO enabling JIT is a way different case. 99% of the users won't notice any difference since AFAIK BPF execution is already fast enough to not be a bottleneck for casual network monitoring and the network professionals who need top performance are expected to read the documentation anyway and/or expected to know about BPF JIT already. I suggest reverting the recent JIT related patches and mentioning BPF JIT in the User Guide. I think having or not having JIT enabled would not affect enough people to warrant a note on the welcome screen. I have attached a patch for the documentation. Maybe working with the kernel developers to enable BPF JIT by default would also be useful. Cheers, Balint Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Martin Kaiser Sent: den 23 augusti 2013 10:36 To: wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? before we change it, should we remember the previous setting and restore it when dumpcap exits? Thus wrote Anders Broman (a.bro...@bredband.net): Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders 0001-Mention-BPF-JIT-in-User-Guide.patch Description: Binary data ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
-Original Message- From: rbal...@gmail.com [mailto:rbal...@gmail.com] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 14:23 To: Anders Broman Cc: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 12:59 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only. Cheers, Balint That's kind of my point after all these years this is still not used by every one. If you mean there are people not reading the documentation, this is expected. Why would they read the documentation if Wireshark works well enough for them? No one reads all the documentation for all their software. When one executes Wireshark as root on Linux a bit warning points her/him to the documentation explaining why it is a bad idea. IMO running Wireshark as root or not running it as root makes a difference for people regarding security. Since Wireshark is a widely known and respected security related software we can't leave people uninformed in this aspect. IMO enabling JIT is a way different case. 99% of the users won't notice any difference since AFAIK BPF execution is already fast enough to not be a bottleneck for casual network monitoring and the network professionals who need top performance are expected to read the documentation anyway and/or expected to know about BPF JIT already. I suggest reverting the recent JIT related patches and mentioning BPF JIT in the User Guide. I think having or not having JIT enabled would not affect enough people to warrant a note on the welcome screen. I have attached a patch for the documentation. Thank you that will be useful in any case. How about having it as a command line option? See sample code. Does anyone else have an opinion? Maybe working with the kernel developers to enable BPF JIT by default would also be useful. Not sure how to do that. Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Martin Kaiser Sent: den 23 augusti 2013 10:36 To: wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? before we change it, should we remember the previous setting and restore it when dumpcap exits? Thus wrote Anders Broman (a.bro...@bredband.net): Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders jit.patch Description: jit.patch ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: rbal...@gmail.com [mailto:rbal...@gmail.com] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 14:23 To: Anders Broman Cc: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 12:59 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only. Cheers, Balint That's kind of my point after all these years this is still not used by every one. If you mean there are people not reading the documentation, this is expected. Why would they read the documentation if Wireshark works well enough for them? No one reads all the documentation for all their software. When one executes Wireshark as root on Linux a bit warning points her/him to the documentation explaining why it is a bad idea. IMO running Wireshark as root or not running it as root makes a difference for people regarding security. Since Wireshark is a widely known and respected security related software we can't leave people uninformed in this aspect. IMO enabling JIT is a way different case. 99% of the users won't notice any difference since AFAIK BPF execution is already fast enough to not be a bottleneck for casual network monitoring and the network professionals who need top performance are expected to read the documentation anyway and/or expected to know about BPF JIT already. I suggest reverting the recent JIT related patches and mentioning BPF JIT in the User Guide. I think having or not having JIT enabled would not affect enough people to warrant a note on the welcome screen. I have attached a patch for the documentation. Thank you that will be useful in any case. How about having it as a command line option? See sample code. Does anyone else have an opinion? It could be done, but so far we have already added plenty of code instead of recommending using echo: 71f7093 Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |2 +- tshark.c |8 2 files changed, 9 insertions(+), 1 deletion(-) f9aaaeb Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |6 ++ 1 file changed, 6 insertions(+) 347ea71 Only enable the Linux kernel BPF JIT compiler if we're on Linux. dumpcap.c | 32 ++-- 1 file changed, 22 insertions(+), 10 deletions(-) 5928ded Enable Kernel BPF JIT compiler from dumpcap. dumpcap.c | 21 + 1 file changed, 21 insertions(+) Maybe working with the kernel developers to enable BPF JIT by default would also be useful. Not sure how to do that. Asking around on the kernel mailing list could help, I think. Cheers, Balint Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Martin Kaiser Sent: den 23 augusti 2013 10:36 To: wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? before we change it, should we remember the previous setting and restore it when dumpcap exits? Thus wrote Anders Broman (a.bro...@bredband.net): Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
*** E-mail via DME powered by mobile broadband *** --Original message--- Sender: rbal...@gmail.com rbal...@gmail.com Time: Fri Aug 23 17:54:00 CEST 2013 Cc: wireshark-dev@wireshark.org, Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: rbal...@gmail.com [mailto:rbal...@gmail.com] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 14:23 To: Anders Broman Cc: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 12:59 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only. Cheers, Balint That's kind of my point after all these years this is still not used by every one. If you mean there are people not reading the documentation, this is expected. Why would they read the documentation if Wireshark works well enough for them? No one reads all the documentation for all their software. When one executes Wireshark as root on Linux a bit warning points her/him to the documentation explaining why it is a bad idea. IMO running Wireshark as root or not running it as root makes a difference for people regarding security. Since Wireshark is a widely known and respected security related software we can't leave people uninformed in this aspect. IMO enabling JIT is a way different case. 99% of the users won't notice any difference since AFAIK BPF execution is already fast enough to not be a bottleneck for casual network monitoring and the network professionals who need top performance are expected to read the documentation anyway and/or expected to know about BPF JIT already. I suggest reverting the recent JIT related patches and mentioning BPF JIT in the User Guide. I think having or not having JIT enabled would not affect enough people to warrant a note on the welcome screen. I have attached a patch for the documentation. Thank you that will be useful in any case. How about having it as a command line option? See sample code. Does anyone else have an opinion? It could be done, but so far we have already added plenty of code instead of recommending using echo Yes but we disagree on this point as I don't think that will work. 71f7093 Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |2 +- tshark.c |8 2 files changed, 9 insertions(+), 1 deletion(-) f9aaaeb Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |6 ++ 1 file changed, 6 insertions(+) 347ea71 Only enable the Linux kernel BPF JIT compiler if we're on Linux. dumpcap.c | 32 ++-- 1 file changed, 22 insertions(+), 10 deletions(-) 5928ded Enable Kernel BPF JIT compiler from dumpcap. dumpcap.c | 21 + 1 file changed, 21 insertions(+) Maybe working with the kernel developers to enable BPF JIT by default would also be useful. Not sure how to do that. Asking around on the kernel mailing list could help, I think. Cheers, Balint Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Martin Kaiser Sent: den 23 augusti 2013 10:36 To: wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? before we change it, should we remember the previous setting and restore it when dumpcap exits? Thus wrote Anders Broman (a.bro...@bredband.net): Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
2013/8/23 Anders Broman anders.bro...@ericsson.com: *** E-mail via DME powered by mobile broadband *** --Original message--- Sender: rbal...@gmail.com rbal...@gmail.com Time: Fri Aug 23 17:54:00 CEST 2013 Cc: wireshark-dev@wireshark.org, Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: rbal...@gmail.com [mailto:rbal...@gmail.com] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 14:23 To: Anders Broman Cc: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 12:59 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only. Cheers, Balint That's kind of my point after all these years this is still not used by every one. If you mean there are people not reading the documentation, this is expected. Why would they read the documentation if Wireshark works well enough for them? No one reads all the documentation for all their software. When one executes Wireshark as root on Linux a bit warning points her/him to the documentation explaining why it is a bad idea. IMO running Wireshark as root or not running it as root makes a difference for people regarding security. Since Wireshark is a widely known and respected security related software we can't leave people uninformed in this aspect. IMO enabling JIT is a way different case. 99% of the users won't notice any difference since AFAIK BPF execution is already fast enough to not be a bottleneck for casual network monitoring and the network professionals who need top performance are expected to read the documentation anyway and/or expected to know about BPF JIT already. I suggest reverting the recent JIT related patches and mentioning BPF JIT in the User Guide. I think having or not having JIT enabled would not affect enough people to warrant a note on the welcome screen. I have attached a patch for the documentation. Thank you that will be useful in any case. How about having it as a command line option? See sample code. Does anyone else have an opinion? It could be done, but so far we have already added plenty of code instead of recommending using echo Yes but we disagree on this point as I don't think that will work. I agree that it won't work for most of the people. My point is that making JIT work for slightly more people (actually for those who misconfigured Wireshark) is a weak reason for messing with system configuration and enabling a kernel feature which the kernel developers do not trust enough to enable it by default. 71f7093 Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |2 +- tshark.c |8 2 files changed, 9 insertions(+), 1 deletion(-) f9aaaeb Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |6 ++ 1 file changed, 6 insertions(+) 347ea71 Only enable the Linux kernel BPF JIT compiler if we're on Linux. dumpcap.c | 32 ++-- 1 file changed, 22 insertions(+), 10 deletions(-) 5928ded Enable Kernel BPF JIT compiler from dumpcap. dumpcap.c | 21 + 1 file changed, 21 insertions(+) Maybe working with the kernel developers to enable BPF JIT by default would also be useful. Not sure how to do that. Asking around on the kernel mailing list could help, I think. Cheers, Balint Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Martin Kaiser Sent: den 23 augusti 2013 10:36 To: wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? before we change it, should we remember the previous setting and restore it when dumpcap exits? Thus wrote Anders Broman (a.bro...@bredband.net): Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
*** E-mail via DME powered by mobile broadband *** --Original message--- Sender: Réczey Bálint rbal...@gmail.com Time: Fri Aug 23 21:00:00 CEST 2013 Cc: wireshark-dev@wireshark.org, Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: *** E-mail via DME powered by mobile broadband *** --Original message--- Sender: rbal...@gmail.com rbal...@gmail.com Time: Fri Aug 23 17:54:00 CEST 2013 Cc: wireshark-dev@wireshark.org, Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: rbal...@gmail.com [mailto:rbal...@gmail.com] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 14:23 To: Anders Broman Cc: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 12:59 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only. Cheers, Balint That's kind of my point after all these years this is still not used by every one. If you mean there are people not reading the documentation, this is expected. Why would they read the documentation if Wireshark works well enough for them? No one reads all the documentation for all their software. When one executes Wireshark as root on Linux a bit warning points her/him to the documentation explaining why it is a bad idea. IMO running Wireshark as root or not running it as root makes a difference for people regarding security. Since Wireshark is a widely known and respected security related software we can't leave people uninformed in this aspect. IMO enabling JIT is a way different case. 99% of the users won't notice any difference since AFAIK BPF execution is already fast enough to not be a bottleneck for casual network monitoring and the network professionals who need top performance are expected to read the documentation anyway and/or expected to know about BPF JIT already. I suggest reverting the recent JIT related patches and mentioning BPF JIT in the User Guide. I think having or not having JIT enabled would not affect enough people to warrant a note on the welcome screen. I have attached a patch for the documentation. Thank you that will be useful in any case. How about having it as a command line option? See sample code. Does anyone else have an opinion? It could be done, but so far we have already added plenty of code instead of recommending using echo Yes but we disagree on this point as I don't think that will work. I agree that it won't work for most of the people. My point is that making JIT work for slightly more people (actually for those who misconfigured Wireshark) is a weak reason for messing with system configuration and enabling a kernel feature which the kernel developers do not trust enough to enable it by default. I'm trying to come upp with something acceptable to us both... Is it the kernel developers or the distributon setting the imitation? Guy indicated it's active in BFD systems. Anyway a majority vote? 71f7093 Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |2 +- tshark.c |8 2 files changed, 9 insertions(+), 1 deletion(-) f9aaaeb Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |6 ++ 1 file changed, 6 insertions(+) 347ea71 Only enable the Linux kernel BPF JIT compiler if we're on Linux. dumpcap.c | 32 ++-- 1 file changed, 22 insertions(+), 10 deletions(-) 5928ded Enable Kernel BPF JIT compiler from dumpcap. dumpcap.c | 21 + 1 file changed, 21 insertions(+) Maybe working with the kernel developers to enable BPF JIT by default would also be useful. Not sure how to do that. Asking around on the kernel mailing list could help, I think. Cheers, Balint Regards Anders -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Martin Kaiser Sent: den 23 augusti 2013 10:36 To: wireshark-dev@wireshark.org Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
2013/8/23 Anders Broman anders.bro...@ericsson.com: *** E-mail via DME powered by mobile broadband *** --Original message--- Sender: Réczey Bálint rbal...@gmail.com Time: Fri Aug 23 21:00:00 CEST 2013 Cc: wireshark-dev@wireshark.org, Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: *** E-mail via DME powered by mobile broadband *** --Original message--- Sender: rbal...@gmail.com rbal...@gmail.com Time: Fri Aug 23 17:54:00 CEST 2013 Cc: wireshark-dev@wireshark.org, Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: rbal...@gmail.com [mailto:rbal...@gmail.com] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 14:23 To: Anders Broman Cc: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: -Original Message- From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Bálint Réczey Sent: den 23 augusti 2013 12:59 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? 2013/8/23 Anders Broman anders.bro...@ericsson.com: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only. Cheers, Balint That's kind of my point after all these years this is still not used by every one. If you mean there are people not reading the documentation, this is expected. Why would they read the documentation if Wireshark works well enough for them? No one reads all the documentation for all their software. When one executes Wireshark as root on Linux a bit warning points her/him to the documentation explaining why it is a bad idea. IMO running Wireshark as root or not running it as root makes a difference for people regarding security. Since Wireshark is a widely known and respected security related software we can't leave people uninformed in this aspect. IMO enabling JIT is a way different case. 99% of the users won't notice any difference since AFAIK BPF execution is already fast enough to not be a bottleneck for casual network monitoring and the network professionals who need top performance are expected to read the documentation anyway and/or expected to know about BPF JIT already. I suggest reverting the recent JIT related patches and mentioning BPF JIT in the User Guide. I think having or not having JIT enabled would not affect enough people to warrant a note on the welcome screen. I have attached a patch for the documentation. Thank you that will be useful in any case. How about having it as a command line option? See sample code. Does anyone else have an opinion? It could be done, but so far we have already added plenty of code instead of recommending using echo Yes but we disagree on this point as I don't think that will work. I agree that it won't work for most of the people. My point is that making JIT work for slightly more people (actually for those who misconfigured Wireshark) is a weak reason for messing with system configuration and enabling a kernel feature which the kernel developers do not trust enough to enable it by default. I'm trying to come upp with something acceptable to us both... Is it the kernel developers or the distributon setting the imitation? Guy indicated it's active in BFD systems. Kernel devs provide a default, which can be overriden by the distribution (Debian does not change it and I think it is reasonable.). FreeBSD has a different implementation AFAIK and covers fewer architectures. Anyway a majority vote? I'm OK with that. Cheers, Balint 71f7093 Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |2 +- tshark.c |8 2 files changed, 9 insertions(+), 1 deletion(-) f9aaaeb Output a warning about kernel BPF JIT compiler beeing activated. dumpcap.c |6 ++ 1 file changed, 6 insertions(+) 347ea71 Only enable the Linux kernel BPF JIT compiler if we're on Linux. dumpcap.c | 32 ++-- 1 file changed, 22 insertions(+), 10 deletions(-) 5928ded Enable Kernel BPF JIT compiler from dumpcap. dumpcap.c | 21 + 1 file changed, 21 insertions(+) Maybe working with the kernel developers to enable BPF JIT by default would also be useful. Not sure how to do that. Asking around on the kernel mailing list could help, I think. Cheers, Balint
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
On Aug 23, 2013, at 1:01 PM, Réczey Bálint rbal...@gmail.com wrote: FreeBSD has a different implementation AFAIK The first implementation was the WinPcap one, for x86-32 or IA-32 or whatever you want to call the 32-bit version of x86. The FreeBSD people picked that one up, added x86-64 support, and, if I remember, didn't bother to cite the WinPcap folks (Loris Degioanni was a bit annoyed at that, as I remember). Both have BSDish licenses, which probably got in the way of adopting them for Linux, so I suspect the Linux implementation is independent (just as its implementation of the BPF interpreter is different). and covers fewer architectures. Linux's JIT also handles PPC, although, as POWER/PowerPC/Power ISA has fixed-length instructions, it's apparently not vulnerable to the attack mentioned in the post Jakub cited. If they decided to support S/3x0-64^Wz/Architecture, that *would* be vulnerable (as would 68k and VAX, among others). ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
On Fri, Aug 23, 2013 at 10:23:32AM +, Anders Broman wrote: before we change it, should we remember the previous setting and restore it when dumpcap exits? Preferably yes but I'm not sure it's possible as I think root privileges are required to write to the file and I think dumpcap Drops those after starting to capture. I've not looked at kernel sources, but isn't JITing done when attaching filter to socket? And later this sysctl variable takes no effect? so we could do: - enable JIT if not enabled - pcap_setfilter(pcap, program) - disable JIT if enabled - drop privilages It's a little racy, but well... ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
On Thu, Aug 22, 2013 at 08:45:06PM +0200, Jakub Zawadzki wrote: On Thu, Aug 22, 2013 at 09:16:04AM -0700, Guy Harris wrote: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. Security issue: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html Also it's not perfect like BPF VM, check: https://lkml.org/lkml/2012/3/30/384a Don't know if such instruction can happen in BPF filter generated by libpcap (Guy?). If yes we should not enable in on kernels before it was fixed. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
On Aug 23, 2013, at 3:16 PM, Jakub Zawadzki darkjames...@darkjames.pl wrote: Also it's not perfect like BPF VM, check: https://lkml.org/lkml/2012/3/30/384a Presumably meaning https://lkml.org/lkml/2012/3/30/384 as the link didn't work with the final a. Don't know if such instruction can happen in BPF filter generated by libpcap (Guy?). I'll give a look at that... ...but bear in mind that what the current release of libpcap, or even the top of the trunk, does now isn't all that it might do in a future release, so even if it doesn't generate them now, it might do so in the future. If yes we should not enable in on kernels before it was fixed. Yes. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
Hi Should we add code to enable the JIT compiler from dumpcap? From netsniff-ng bpf.chttp://lingrok.org/xref/netsniff-ng/bpf.c int enable_kernel_bpf_jit_compiler(void) { int fd; ssize_t ret; char *file = /proc/sys/net/core/bpf_jit_enable; fd = open(file, O_WRONLY); if (unlikely(fd 0)) return -1; ret = write(fd, 1, strlen(1)); close(fd); return ret; } Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
Included a patch if someone want to have a go at it. From: wireshark-dev-boun...@wireshark.org [mailto:wireshark-dev-boun...@wireshark.org] On Behalf Of Anders Broman Sent: den 22 augusti 2013 13:47 To: wireshark-dev@wireshark.org Subject: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap? Hi Should we add code to enable the JIT compiler from dumpcap? From netsniff-ng bpf.chttp://lingrok.org/xref/netsniff-ng/bpf.c int enable_kernel_bpf_jit_compiler(void) { int fd; ssize_t ret; char *file = /proc/sys/net/core/bpf_jit_enable; fd = open(file, O_WRONLY); if (unlikely(fd 0)) return -1; ret = write(fd, 1, strlen(1)); close(fd); return ret; } Regards Anders dumpcap.patch Description: dumpcap.patch ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
On Thu, Aug 22, 2013 at 09:16:04AM -0700, Guy Harris wrote: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. Security issue: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
On Aug 22, 2013, at 11:45 AM, Jakub Zawadzki darkjames...@darkjames.pl wrote: Security issue: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html Exploiting a combination of 1) JIT-equipped BPF's ability to put safe-but-still-somewhat-controllable code into the kernel under userland command; 2) x86's non-fixed-length instructions, so that if safe code also contains a byte sequence that corresponds to unsafe code, you can jump to that byte sequence; 3) UNIX-domain sockets' requirement to keep a sent file descriptor open (and thus to keep around everything attached to the FD, including a BPF filter) even if you close the socket yourself, so you can create a lot of instances of the JITted code without running out of FDs in your process; 4) some existing exploit that lets you control where the kernel jumps to; to let you put Bad Code into enough locations that it's not *too* hard to find where it is and then go there. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
Hi, I would be happier if the applications I run did not change kernel configuration without my consent. Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
Bálint Réczey skrev 2013-08-22 23:02: Hi, I would be happier if the applications I run did not change kernel configuration without my consent. I see your point... Regarding Wireshark I would prefer suggesting echo 1 /proc/sys/net/core/bpf_jit_enable in the documentation instead of adding code to enable JIT. There may be good reasons for not enabling it by default in the Linux kernel. The problematic thing is that people seldom reads the documentation, the setting gets reset at a reboot and it's easy to forget to re-enable it. The ideal thing would be if dumpcap - Had a preference/command line flag whether to use JIT or not. - If told to use it check if it was enabled or not used JIT and put it back to zero if not set when starting. Wireshark could then default to use JIT and some warnings could be displayed in the welcome screen and in dumpcaps help output. netsniff-ng activates it by default it seems. Regards Anders Cheers, Balint 2013/8/22 Anders Broman a.bro...@bredband.net: Guy Harris skrev 2013-08-22 18:16: On Aug 22, 2013, at 4:46 AM, Anders Broman anders.bro...@ericsson.com wrote: Should we add code to enable the JIT compiler from dumpcap? Should I add code to enable the JIT compiler to libpcap while I'm at it? Should the Linux kernel folks enable it by default? I'm inclined to answer yes to all three questions. I think the FreeBSD JIT compiler is enabled by default. I'm surprised that the Linux one isn't. I checked in the dumpcap code. I agree that it might be useful in libpcap too, root privileges are required to change it I think. and Yes I'm surprised that the Linux one isn't Regards Anders ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe