pcap-file: use larger buffer for reading pcap files

Inspired by a recent Zeek blog post, this could speed up PCAP
processing by a few percent.

Ticket: #7155.

diff --git a/src/source-pcap-file-helper.c b/src/source-pcap-file-helper.c
index 6434ae2acc6aaac42ec3c13c0383e6fd008e3321..a93a9558313eb63cb6572354dda390d43ee06904 100644 (file)
--- a/src/source-pcap-file-helper.c
+++ b/src/source-pcap-file-helper.c
@@ -208,6 +208,11 @@ TmEcode InitPcapFile(PcapFileFileVars *pfv)
         SCReturnInt(TM_ECODE_FAILED);
     }
 
+    errno = 0;
+    if (setvbuf(pcap_file(pfv->pcap_handle), pfv->buffer, _IOFBF, sizeof(pfv->buffer)) < 0) {
+        SCLogWarning("Failed to setvbuf on PCAP file handle: %s", strerror(errno));
+    }
+
     if (pfv->shared != NULL && pfv->shared->bpf_string != NULL) {
         SCLogInfo("using bpf-filter \"%s\"", pfv->shared->bpf_string);
 

diff --git a/src/source-pcap-file-helper.h b/src/source-pcap-file-helper.h
index ec5444887f8189415bbd7ce02a1da11b5a0e821f..c2d9ed6f2020dce6b51571f2fcbb15bdf0e4c5f8 100644 (file)
--- a/src/source-pcap-file-helper.h
+++ b/src/source-pcap-file-helper.h
@@ -80,6 +80,8 @@ typedef struct PcapFileFileVars_
     const u_char *first_pkt_data;
     struct pcap_pkthdr *first_pkt_hdr;
     struct timeval first_pkt_ts;
+
+    char buffer[131072];
 } PcapFileFileVars;
 
 /**