pcap: implement pcap-file-buffer-size option

Allows easy specification of buffer size on the commandline. Ticket: OISF#7155.
ct0br0 · Aug 30, 2024 · 688bd53 · 688bd53
1 parent 7b730c2
commit 688bd53
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/doc/userguide/partials/options.rst b/doc/userguide/partials/options.rst
@@ -77,6 +77,11 @@
    continuously feed files to a directory and have them cleaned up when done. If
    this option is not set, pcap files will not be deleted after processing.
 
+.. option:: --pcap-file-buffer-size <value>
+
+   Set read buffer size using ``setvbuf`` to speed up pcap reading. Valid values
+   are 4 KiB to 64 MiB. Default value is 128 KiB. Supported on Linux only.
+
 .. option::  -i <interface>
 
    After the -i option you can enter the interface card you would like

diff --git a/src/suricata.c b/src/suricata.c
@@ -631,6 +631,7 @@ static void PrintUsage(const char *progname)
     printf("\t--pcap-file-continuous               : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted\n");
     printf("\t--pcap-file-delete                   : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done\n");
     printf("\t--pcap-file-recursive                : will descend into subdirectories when running in replay mode (-r)\n");
+    printf("\t--pcap-file-buffer-size              : set read buffer size (setvbuf)\n");
 #ifdef HAVE_PCAP_SET_BUFF
     printf("\t--pcap-buffer-size                   : size of the pcap buffer value from 0 - %i\n",INT_MAX);
 #endif /* HAVE_SET_PCAP_BUFF */
@@ -1351,6 +1352,7 @@ TmEcode SCParseCommandLine(int argc, char **argv)
         {"pcap-file-continuous", 0, 0, 0},
         {"pcap-file-delete", 0, 0, 0},
         {"pcap-file-recursive", 0, 0, 0},
+        {"pcap-file-buffer-size", required_argument, 0, 0},
         {"simulate-ips", 0, 0 , 0},
         {"no-random", 0, &g_disable_randomness, 1},
         {"strict-rule-keywords", optional_argument, 0, 0},
@@ -1755,8 +1757,12 @@ TmEcode SCParseCommandLine(int argc, char **argv)
                     SCLogError("failed to set pcap-file.recursive");
                     return TM_ECODE_FAILED;
                 }
-            }
-            else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) {
+            } else if (strcmp((long_opts[option_index]).name, "pcap-file-buffer-size") == 0) {
+                if (ConfSetFinal("pcap-file.buffer-size", optarg) != 1) {
+                    SCLogError("failed to set pcap-file.buffer-size");
+                    return TM_ECODE_FAILED;
+                }
+            } else if (strcmp((long_opts[option_index]).name, "data-dir") == 0) {
                 if (optarg == NULL) {
                     SCLogError("no option argument (optarg) for -d");
                     return TM_ECODE_FAILED;
@@ -1774,7 +1780,7 @@ TmEcode SCParseCommandLine(int argc, char **argv)
                     return TM_ECODE_FAILED;
                 }
                 suri->set_datadir = true;
-            } else if (strcmp((long_opts[option_index]).name , "strict-rule-keywords") == 0){
+            } else if (strcmp((long_opts[option_index]).name, "strict-rule-keywords") == 0) {
                 if (optarg == NULL) {
                     suri->strict_rule_parsing_string = SCStrdup("all");
                 } else {

diff --git a/suricata.yaml.in b/suricata.yaml.in
@@ -860,6 +860,8 @@ pcap-file:
   #  checksum off-loading is used. (default)
   # Warning: 'checksum-validation' must be set to yes to have checksum tested
   checksum-checks: auto
+  # Read buffer size set using setvbuf. Max value is 64 MiB. Linux only.
+  #buffer-size: 128 KiB
 
 # See "Advanced Capture Options" below for more options, including Netmap
 # and PF_RING.