mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 07:38:19 +00:00
iosource/pcap: Support configurable buffer size
On Linux with a default ext4 or tmpfs filesystem, the default buffer size for reading a pcap is chosen as 4k (strace/gdb validated). When reading large pcaps containing raw data transfers, the syscall overhead for read becomes visible in profiles. Support configurability of the buffer size and default to 128kb. When processing a ~830M PCAP (16 UDP connections, each transferring ~50MB) in bare mode, this change improves runtime from 1.39 sec to 1.29 sec. Increasing the buffer further didn't provide a noticeable boost.
This commit is contained in:
Arne Welzel
parent
c161b1c4b1
commit
7fac5837c3
9 changed files with 63 additions and 2 deletions
|
|
@ -4,6 +4,7 @@
|
|||
|
||||
#include <sys/types.h> // for u_char
|
||||
#include <unistd.h>
|
||||
#include <vector>
|
||||
|
||||
extern "C"
|
||||
{
|
||||
|
|
@ -44,6 +45,9 @@ private:
|
|||
|
||||
pcap_t* pd;
|
||||
struct pcap_stat prev_pstat = {0};
|
||||
|
||||
// Buffer provided to setvbuf() when reading from a PCAP file.
|
||||
std::vector<char> iobuf;
|
||||
};
|
||||
|
||||
} // namespace zeek::iosource::pcap
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue