From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 13 Mar 2024 21:50:57 +0000 (-0600)
Subject: pcap-file: use larger buffer for reading pcap files
X-Git-Tag: suricata-8.0.0-beta1~947
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f2aef777790ebabd10c597798b1e9170bc00594;p=thirdparty%2Fsuricata.git

pcap-file: use larger buffer for reading pcap files

Inspired by a recent Zeek blog post, this could speed up PCAP
processing by a few percent.

Ticket: #7155.
---

diff --git a/src/source-pcap-file-helper.c b/src/source-pcap-file-helper.c
index 6434ae2acc..a93a955831 100644
--- a/src/source-pcap-file-helper.c
+++ b/src/source-pcap-file-helper.c
@@ -208,6 +208,11 @@ TmEcode InitPcapFile(PcapFileFileVars *pfv)
         SCReturnInt(TM_ECODE_FAILED);
     }
 
+    errno = 0;
+    if (setvbuf(pcap_file(pfv->pcap_handle), pfv->buffer, _IOFBF, sizeof(pfv->buffer)) < 0) {
+        SCLogWarning("Failed to setvbuf on PCAP file handle: %s", strerror(errno));
+    }
+
     if (pfv->shared != NULL && pfv->shared->bpf_string != NULL) {
         SCLogInfo("using bpf-filter \"%s\"", pfv->shared->bpf_string);
 
diff --git a/src/source-pcap-file-helper.h b/src/source-pcap-file-helper.h
index ec5444887f..c2d9ed6f20 100644
--- a/src/source-pcap-file-helper.h
+++ b/src/source-pcap-file-helper.h
@@ -80,6 +80,8 @@ typedef struct PcapFileFileVars_
     const u_char *first_pkt_data;
     struct pcap_pkthdr *first_pkt_hdr;
     struct timeval first_pkt_ts;
+
+    char buffer[131072];
 } PcapFileFileVars;
 
 /**