Wireshark-users: Re: [Wireshark-users] what is the upper limit of buffer size?
From: "Gianluca Varenni" <gianluca.varenni@xxxxxxxxxxxx>
Date: Mon, 23 Mar 2009 09:09:30 -0700

----- Original Message ----- From: "Guy Harris" <guy@xxxxxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Friday, March 20, 2009 10:51 AM
Subject: Re: [Wireshark-users] what is the upper limit of buffer size?


Well, the upper limit depends on the operating system on which you're
capturing; I think you asked questions on the WinPcap list earlier, so
presumably you're using Windows.

On Mar 19, 2009, at 11:45 PM, jli@xxxxxxxxxxxx wrote:

      I use wireshark for realtime packets capture at 640Mbps and
found packets drop, and i want to set a large kernel buffer, but i
only found 127MB can be set, but my memory is 3GB and has 2.6G
available.
     why?

Perhaps Microsoft wants to limit the size of the kernel region of the
address space.  I think Windows doesn't have separate kernel and user
address spaces on x86, so the bigger the kernel portion of the address
space is, the smaller the user portion of the address space is, and
thus the less address space is available to user applications for
*their* data.  In addition, they might want to limit the size of the
unpaged pool, so as not to take too much memory away from use by
userland code; the WinPcap buffer is, I think, in the unpaged pool.

On windows the address space is sort of shared, more or less like in Linux (although the linux kernel allows you to have different address spaces).

On an x86 system, the upper 2GBs of virtual address space are reserved to the kernel. No user code that touch that memory. And these 2GB are used (and shared) by the whole kernel and all the kernel mode drivers (including WinPcap). There is 1 single virtual address space for the kernel. The lower 2GB are the virtual address space for user applications. Each user level process has its own virtual address space of 2GB, so that different processes cannot corrupt the memory of another process. Kernel and user virtual address space are separate, so allocating memory in kernel mode does not affect the amlount of address space available in user mode, and vice versa (this is an over-simplification).

The memory used by the WinPcap driver is allocated in the so-called nonpaged pool, a type of kernel memory that is guaranteed to reside in physical memory at all times, i.e. when you read or write in that memory, the swap is not involved. This memory is extremely precious, and scarce, so not much of this memory is available (the limit is, as I said before, 256MB on an x86 machine).

GV


For more information on why the kernel buffer is limited, you might
want to ask on the WinPcap list (although at leas some of the WinPcap
developers are on this list).

Note also that the buffer can fix latency problems, where you drop
packets because the system is temporarily unable to write them to disk
(or otherwise process them) as fast as they're arriving; the buffer
can hold packets during a temporary problem of that sort.  It cannot
fix throughput problems, where you drop packets because the system is
*inherently* incapable of writing them to disk (or otherwise process
them) as fast as they're arriving - capture for long enough in a
situation such as that, and your buffer will eventually fill up and
you will drop packets.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe