Home page logo
/

wireshark logo Wireshark mailing list archives

Re: Enabling linux kernel jit compiler from dumpcap?
From: Anders Broman <anders.broman () ericsson com>
Date: Fri, 23 Aug 2013 17:07:25 +0000



*** E-mail via DME powered by mobile broadband ***


--Original message---
Sender: "rbalint () gmail com" <rbalint () gmail com>
Time: Fri Aug 23 17:54:00 CEST 2013
Cc: wireshark-dev () wireshark org, 
Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?

2013/8/23 Anders Broman <anders.broman () ericsson com>:


-----Original Message-----
From: rbalint () gmail com [mailto:rbalint () gmail com] On Behalf Of Bálint Réczey
Sent: den 23 augusti 2013 14:23
To: Anders Broman
Cc: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?

2013/8/23 Anders Broman <anders.broman () ericsson com>:


-----Original Message-----
From: wireshark-dev-bounces () wireshark org
[mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Bálint
Réczey
Sent: den 23 augusti 2013 12:59
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?

2013/8/23 Anders Broman <anders.broman () ericsson com>:
before we change it, should we remember the previous setting and restore it when dumpcap exits?

Preferably yes but I'm not sure it's possible as I think root
privileges are required to write to the file and I think dumpcap Drops those after starting to capture.
And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture 
only.

Cheers,
Balint

That's kind of my point after all these years this is still not used by every one.


If you mean there are people not reading the documentation, this is expected.
Why would they read the documentation if Wireshark works well enough for them?
No one reads all the documentation for all their software.

When one executes Wireshark as root on Linux a bit warning points her/him to the documentation explaining why it is a 
bad idea.
IMO running Wireshark as root or not running it as root makes a difference for people regarding security. Since 
Wireshark is a widely known and respected >security related software we can't leave people uninformed in this aspect.

IMO enabling JIT is a way different case. 99% of the users won't notice any difference since AFAIK BPF execution is 
already fast enough to not be a >bottleneck for casual network monitoring and the network professionals who need top 
performance are expected to read the documentation anyway >and/or expected to know about BPF JIT already.

I suggest reverting the recent JIT related patches and mentioning BPF JIT in the User Guide.
I think having or not having JIT enabled would not affect enough people to warrant a note on the welcome screen.
I have attached a patch for the documentation.


Thank you that will be useful in any case.
How about having it as a command line option? See sample code.  Does anyone else have an opinion?
It could be done, but so far we have already added plenty of code
instead of recommending
using echo

Yes but we disagree on this point as I don't think that will work.

71f7093 Output a warning about kernel BPF JIT compiler beeing activated.
 dumpcap.c |    2 +-
 tshark.c  |    8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
f9aaaeb Output a warning about kernel BPF JIT compiler beeing activated.
 dumpcap.c |    6 ++++++
 1 file changed, 6 insertions(+)
347ea71 Only enable the Linux kernel BPF JIT compiler if we're on Linux.
 dumpcap.c |   32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)
5928ded Enable Kernel BPF JIT compiler from dumpcap.
 dumpcap.c |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)



Maybe working with the kernel developers to enable BPF JIT by default would also be useful.
Not sure how to do that.
Asking around on the kernel mailing list could help, I think.

Cheers,
Balint





Regards
Anders

-----Original Message-----
From: wireshark-dev-bounces () wireshark org
[mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Martin
Kaiser
Sent: den 23 augusti 2013 10:36
To: wireshark-dev () wireshark org
Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?

before we change it, should we remember the previous setting and restore it when dumpcap exits?

Thus wrote Anders Broman (a.broman () bredband net):

Bálint Réczey skrev 2013-08-22 23:02:
Hi,

I would be happier if the applications I run did not change kernel
configuration without my consent.
I see your point...

Regarding Wireshark I would prefer suggesting "echo 1 >
/proc/sys/net/core/bpf_jit_enable" in the documentation instead of
adding code to enable JIT.
There may be good reasons for not enabling it by default in the Linux kernel.
The problematic thing is that people seldom reads the documentation,
the setting gets reset at a reboot and it's easy to forget to
re-enable it. The ideal thing would be if dumpcap
- Had a preference/command line flag whether to use JIT or not.
- If told to use it check if it was enabled or not used JIT and put
it back to zero if not set when starting.
Wireshark could then default to use JIT and some warnings could be
displayed in the welcome screen and in dumpcaps help output.

netsniff-ng activates it by default it seems.
Regards
Anders

Cheers,
Balint

2013/8/22 Anders Broman <a.broman () bredband net>:
Guy Harris skrev 2013-08-22 18:16:

On Aug 22, 2013, at 4:46 AM, Anders Broman
<anders.broman () ericsson com>
wrote:

Should we add code to enable the JIT compiler from dumpcap?
Should I add code to enable the JIT compiler to libpcap while I'm at it?

Should the Linux kernel folks enable it by default?

I'm inclined to answer "yes" to all three questions.  I think the
FreeBSD JIT compiler is enabled by default.  I'm surprised that the Linux one isn't.
I checked in the dumpcap code. I agree that it might be useful in
libpcap too, root privileges are required to change it I think.
and Yes

I'm surprised that the Linux one isn't
Regards
Anders
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]