Well, the upper limit depends on the operating system on which you're
capturing; I think you asked questions on the WinPcap list earlier, so
presumably you're using Windows.
On Mar 19, 2009, at 11:45 PM, jli@xxxxxxxxxxxx wrote:
I use wireshark for realtime packets capture at 640Mbps and
found packets drop, and i want to set a large kernel buffer, but i
only found 127MB can be set, but my memory is 3GB and has 2.6G
available.
why?
Perhaps Microsoft wants to limit the size of the kernel region of the
address space. I think Windows doesn't have separate kernel and user
address spaces on x86, so the bigger the kernel portion of the address
space is, the smaller the user portion of the address space is, and
thus the less address space is available to user applications for
*their* data. In addition, they might want to limit the size of the
unpaged pool, so as not to take too much memory away from use by
userland code; the WinPcap buffer is, I think, in the unpaged pool.
For more information on why the kernel buffer is limited, you might
want to ask on the WinPcap list (although at leas some of the WinPcap
developers are on this list).
Note also that the buffer can fix latency problems, where you drop
packets because the system is temporarily unable to write them to disk
(or otherwise process them) as fast as they're arriving; the buffer
can hold packets during a temporary problem of that sort. It cannot
fix throughput problems, where you drop packets because the system is
*inherently* incapable of writing them to disk (or otherwise process
them) as fast as they're arriving - capture for long enough in a
situation such as that, and your buffer will eventually fill up and
you will drop packets.
