From: Victor Julien Date: Tue, 9 Jul 2024 07:19:58 +0000 (+0200) Subject: pcap: implement pcap-file-buffer-size option X-Git-Tag: suricata-8.0.0-beta1~945 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=688bd538cf9385ab490616fc279b880504e2c178;p=thirdparty%2Fsuricata.git pcap: implement pcap-file-buffer-size option Allows easy specification of buffer size on the commandline. Ticket: #7155. --- diff --git a/doc/userguide/partials/options.rst b/doc/userguide/partials/options.rst index 34f8f6a1bb..91f8241854 100644 --- a/doc/userguide/partials/options.rst +++ b/doc/userguide/partials/options.rst @@ -77,6 +77,11 @@ continuously feed files to a directory and have them cleaned up when done. If this option is not set, pcap files will not be deleted after processing. +.. option:: --pcap-file-buffer-size + + Set read buffer size using ``setvbuf`` to speed up pcap reading. Valid values + are 4 KiB to 64 MiB. Default value is 128 KiB. Supported on Linux only. + .. option:: -i After the -i option you can enter the interface card you would like diff --git a/src/suricata.c b/src/suricata.c index a10ba74c63..25fe915be8 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -631,6 +631,7 @@ static void PrintUsage(const char *progname) printf("\t--pcap-file-continuous : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted\n"); printf("\t--pcap-file-delete : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done\n"); printf("\t--pcap-file-recursive : will descend into subdirectories when running in replay mode (-r)\n"); + printf("\t--pcap-file-buffer-size : set read buffer size (setvbuf)\n"); #ifdef HAVE_PCAP_SET_BUFF printf("\t--pcap-buffer-size : size of the pcap buffer value from 0 - %i\n",INT_MAX); #endif /* HAVE_SET_PCAP_BUFF */ @@ -1351,6 +1352,7 @@ TmEcode SCParseCommandLine(int argc, char **argv) {"pcap-file-continuous", 0, 0, 0}, {"pcap-file-delete", 0, 0, 0}, {"pcap-file-recursive", 0, 0, 0}, + {"pcap-file-buffer-size", required_argument, 0, 0}, {"simulate-ips", 0, 0 , 0}, {"no-random", 0, &g_disable_randomness, 1}, {"strict-rule-keywords", optional_argument, 0, 0}, @@ -1755,8 +1757,12 @@ TmEcode SCParseCommandLine(int argc, char **argv) SCLogError("failed to set pcap-file.recursive"); return TM_ECODE_FAILED; } - } - else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) { + } else if (strcmp((long_opts[option_index]).name, "pcap-file-buffer-size") == 0) { + if (ConfSetFinal("pcap-file.buffer-size", optarg) != 1) { + SCLogError("failed to set pcap-file.buffer-size"); + return TM_ECODE_FAILED; + } + } else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) { if (optarg == NULL) { SCLogError("no option argument (optarg) for -d"); return TM_ECODE_FAILED; @@ -1774,7 +1780,7 @@ TmEcode SCParseCommandLine(int argc, char **argv) return TM_ECODE_FAILED; } suri->set_datadir = true; - } else if (strcmp((long_opts[option_index]).name , "strict-rule-keywords") == 0){ + } else if (strcmp((long_opts[option_index]).name, "strict-rule-keywords") == 0) { if (optarg == NULL) { suri->strict_rule_parsing_string = SCStrdup("all"); } else { diff --git a/suricata.yaml.in b/suricata.yaml.in index a54c337524..3aacfc569f 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -860,6 +860,8 @@ pcap-file: # checksum off-loading is used. (default) # Warning: 'checksum-validation' must be set to yes to have checksum tested checksum-checks: auto + # Read buffer size set using setvbuf. Max value is 64 MiB. Linux only. + #buffer-size: 128 KiB # See "Advanced Capture Options" below for more options, including Netmap # and PF_RING.