tcpdump mailing list archives
Re: why not filtering at driver level ?
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 24 Oct 2006 05:32:59 +0000
On 2006-10-24 05:11, Guy Harris wrote:
3. Raise the limit on the maximum number of BPF instructions. You're going to have to add stuff to, or change stuff in, the kernel to implement this *anyway*, so you might as well just boost the maximum number of BPF instructions and not have to change libpcap *at all*.
I've lost track of what the original issue was, but if the maximum size of the in-kernel BPF program is the sticking point, it's tunable at runtime, or at least it used to be. Set /proc/sys/net/core/optmem_max to 32 + 8 * number-of-bpf-instructions. There's still an upper bound, but the default value is much lower. -- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> "Never try to retrieve anything from a bear."--National Park Service - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: Sniffing inbound ethernet frames only, (continued)
- Re: Sniffing inbound ethernet frames only Jost-DVSB (Oct 23)
- Re: Sniffing inbound ethernet frames only Jefferson Ogata (Oct 23)
- why not filtering at driver level ? madhuresh (Oct 23)
- Re: why not filtering at driver level ? Guy Harris (Oct 23)
- Re: why not filtering at driver level ? madhuresh (Oct 23)
- Re: why not filtering at driver level ? Guy Harris (Oct 23)
- Re: why not filtering at driver level ? madhuresh (Oct 23)
- Re: why not filtering at driver level ? Guy Harris (Oct 23)
- Re: why not filtering at driver level ? Guy Harris (Oct 23)
- Re: why not filtering at driver level ? Jefferson Ogata (Oct 23)
- Re: why not filtering at driver level ? Jefferson Ogata (Oct 23)
- Re: Sniffing inbound ethernet frames only Jost-DVSB (Oct 23)
- Re: Sniffing inbound ethernet frames only Jost-DVSB (Oct 23)
- Re: Sniffing inbound ethernet frames only Hannes Gredler (Oct 24)