iosource/pcap: Support configurable buffer size

On Linux with a default ext4 or tmpfs filesystem, the default buffer size for reading a pcap is chosen as 4k (strace/gdb validated). When reading large pcaps containing raw data transfers, the syscall overhead for read becomes visible in profiles. Support configurability of the buffer size and default to 128kb. When processing a ~830M PCAP (16 UDP connections, each transferring ~50MB) in bare mode, this change improves runtime from 1.39 sec to 1.29 sec. Increasing the buffer further didn't provide a noticeable boost.
2025-10-08 01:28:20 +00:00 · 2023-10-09 10:29:57 +02:00 · 2023-10-09 10:29:57 +02:00 · 7fac5837c3
commit 7fac5837c3
parent c161b1c4b1
9 changed files with 63 additions and 2 deletions
--- a/src/iosource/pcap/Source.cc
+++ b/src/iosource/pcap/Source.cc
@ -10,6 +10,8 @@
 #include <pcap-int.h>
 #endif

+#include <stdio.h>
+
 #include "zeek/Event.h"
 #include "zeek/iosource/BPF_Program.h"
 #include "zeek/iosource/Packet.h"
@ -176,10 +178,42 @@ void PcapSource::OpenOffline()
 	{
 	char errbuf[PCAP_ERRBUF_SIZE];

-	pd = pcap_open_offline(props.path.c_str(), errbuf);
+	FILE* f = nullptr;
+	if ( props.path == "-" )
+		{
+		f = stdin;
+		}
+	else
+		{
+		if ( f = fopen(props.path.c_str(), "rb"); ! f )
+			{
+			Error(util::fmt("unable to open %s: %s", props.path.c_str(), strerror(errno)));
+			return;
+			}
+
+		// Setup file IO buffering with a bufsize_offline_bytes sized
+		// buffer if set, otherwise use what fopen() took as the default.
+		if ( BifConst::Pcap::bufsize_offline_bytes != 0 )
+			{
+			iobuf.resize(BifConst::Pcap::bufsize_offline_bytes);
+			if ( util::detail::setvbuf(f, iobuf.data(), _IOFBF, iobuf.size()) != 0 )
+				{
+				Error(util::fmt("unable to setvbuf %s: %s", props.path.c_str(), strerror(errno)));
+				fclose(f);
+				return;
+				}
+			}
+		}
+
+	// pcap_fopen_offline() takes ownership of f on success and
+	// pcap_close() elsewhere should close it, too.
+	pd = pcap_fopen_offline(f, errbuf);

 	if ( ! pd )
 		{
+		if ( f != stdin )
+			fclose(f);
+
 		Error(errbuf);
 		return;
 		}
--- a/src/iosource/pcap/Source.h
+++ b/src/iosource/pcap/Source.h
@ -4,6 +4,7 @@

 #include <sys/types.h> // for u_char
 #include <unistd.h>
+#include <vector>

 extern "C"
 	{
@ -44,6 +45,9 @@ private:

 	pcap_t* pd;
 	struct pcap_stat prev_pstat = {0};
+
+	// Buffer provided to setvbuf() when reading from a PCAP file.
+	std::vector<char> iobuf;
 	};

 	} // namespace zeek::iosource::pcap
--- a/src/iosource/pcap/pcap.bif
+++ b/src/iosource/pcap/pcap.bif
@ -3,6 +3,7 @@ module Pcap;

 const snaplen: count;
 const bufsize: count;
+const bufsize_offline_bytes: count;
 const non_fd_timeout: interval;

 %%{