Packet capturing utilizes the BPF device, in general in combination with the libpcap. This device executes a filter on each packet and store the packet afterwards in a double-buffer (see [Sch04de-sep, Sch05en-da] for details). The size of this double-buffer can be adjusted via a
sysctl. Setting it to 2×10 Mbytes has proven to be a good choice.
Since FreeBSD 6 you can do this by setting:
sysctl -w net.bpf.bufsize=10485760 sysctl -w net.bpf.maxbufsize=10485760
For older FreeBSD's just use:
sysctl -w debug.bpf_bufsize=10485760 sysctl -w debug.maxbpf_bufsize=10485760
Like in FreeBSD Linux offer some possibilities to tune it capturing performance as well. Due to the different capturing stack witch does not have a buffer but a queue of pointers behind the filter, one has to increase the receive buffer for all incomming packets and the queue length. This can be done via the
/proc filesystem (with Linux we found that 32 Mbytes is a good amount of memory):