Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?

From: Bálint Réczey <balint@xxxxxxxxxxxxxxx>
Date: Fri, 23 Aug 2013 17:53:51 +0200
2013/8/23 Anders Broman <anders.broman@xxxxxxxxxxxx>:
>
>
> -----Original Message-----
> From: rbalint@xxxxxxxxx [mailto:rbalint@xxxxxxxxx] On Behalf Of Bálint Réczey
> Sent: den 23 augusti 2013 14:23
> To: Anders Broman
> Cc: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
>
> 2013/8/23 Anders Broman <anders.broman@xxxxxxxxxxxx>:
>>
>>
>> -----Original Message-----
>> From: wireshark-dev-bounces@xxxxxxxxxxxxx
>> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Bálint
>> Réczey
>> Sent: den 23 augusti 2013 12:59
>> To: Developer support list for Wireshark
>>> Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
>>>
>>> 2013/8/23 Anders Broman <anders.broman@xxxxxxxxxxxx>:
>>>>> before we change it, should we remember the previous setting and restore it when dumpcap exits?
>>>>
>>>> Preferably yes but I'm not sure it's possible as I think root
>>>> privileges are required to write to the file and I think dumpcap Drops those after starting to capture.
>>> And in the configuration the documentation recommends dumpcap does not run as root, it has permission to capture only.
>>>
>>> Cheers,
>>> Balint
>>>
>>> That's kind of my point after all these years this is still not used by every one.
>
>
>>If you mean there are people not reading the documentation, this is expected.
>>Why would they read the documentation if Wireshark works well enough for them?
>>No one reads all the documentation for all their software.
>>
>>When one executes Wireshark as root on Linux a bit warning points her/him to the documentation explaining why it is a bad idea.
>>IMO running Wireshark as root or not running it as root makes a difference for people regarding security. Since Wireshark is a widely known and respected >security related software we can't leave people uninformed in this aspect.
>>
>>IMO enabling JIT is a way different case. 99% of the users won't notice any difference since AFAIK BPF execution is already fast enough to not be a >bottleneck for casual network monitoring and the network professionals who need top performance are expected to read the documentation anyway >and/or expected to know about BPF JIT already.
>>
>>I suggest reverting the recent JIT related patches and mentioning BPF JIT in the User Guide.
>>I think having or not having JIT enabled would not affect enough people to warrant a note on the welcome screen.
>>I have attached a patch for the documentation.
>
>
> Thank you that will be useful in any case.
> How about having it as a command line option? See sample code.  Does anyone else have an opinion?
It could be done, but so far we have already added plenty of code
instead of recommending
using echo:
71f7093 Output a warning about kernel BPF JIT compiler beeing activated.
 dumpcap.c |    2 +-
 tshark.c  |    8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
f9aaaeb Output a warning about kernel BPF JIT compiler beeing activated.
 dumpcap.c |    6 ++++++
 1 file changed, 6 insertions(+)
347ea71 Only enable the Linux kernel BPF JIT compiler if we're on Linux.
 dumpcap.c |   32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)
5928ded Enable Kernel BPF JIT compiler from dumpcap.
 dumpcap.c |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)


>
>>Maybe working with the kernel developers to enable BPF JIT by default would also be useful.
> Not sure how to do that.
Asking around on the kernel mailing list could help, I think.

Cheers,
Balint

>
>
>>
>>>
>>> Regards
>>> Anders
>>>
>>> -----Original Message-----
>>> From: wireshark-dev-bounces@xxxxxxxxxxxxx
>>> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Martin
>>> Kaiser
>>> Sent: den 23 augusti 2013 10:36
>>> To: wireshark-dev@xxxxxxxxxxxxx
>>> Subject: Re: [Wireshark-dev] Enabling linux kernel jit compiler from dumpcap?
>>>
>>> before we change it, should we remember the previous setting and restore it when dumpcap exits?
>>>
>>> Thus wrote Anders Broman (a.broman@xxxxxxxxxxxx):
>>>
>>>> Bálint Réczey skrev 2013-08-22 23:02:
>>>>> Hi,
>>>
>>>>> I would be happier if the applications I run did not change kernel
>>>>> configuration without my consent.
>>>> I see your point...
>>>
>>>>> Regarding Wireshark I would prefer suggesting "echo 1 >
>>>>> /proc/sys/net/core/bpf_jit_enable" in the documentation instead of
>>>>> adding code to enable JIT.
>>>>> There may be good reasons for not enabling it by default in the Linux kernel.
>>>> The problematic thing is that people seldom reads the documentation,
>>>> the setting gets reset at a reboot and it's easy to forget to
>>>> re-enable it. The ideal thing would be if dumpcap
>>>> - Had a preference/command line flag whether to use JIT or not.
>>>> - If told to use it check if it was enabled or not used JIT and put
>>>> it back to zero if not set when starting.
>>>> Wireshark could then default to use JIT and some warnings could be
>>>> displayed in the welcome screen and in dumpcaps help output.
>>>
>>>> netsniff-ng activates it by default it seems.
>>>> Regards
>>>> Anders
>>>
>>>>> Cheers,
>>>>> Balint
>>>
>>>>> 2013/8/22 Anders Broman <a.broman@xxxxxxxxxxxx>:
>>>>>> Guy Harris skrev 2013-08-22 18:16:
>>>
>>>>>>> On Aug 22, 2013, at 4:46 AM, Anders Broman
>>>>>>> <anders.broman@xxxxxxxxxxxx>
>>>>>>> wrote:
>>>
>>>>>>>> Should we add code to enable the JIT compiler from dumpcap?
>>>>>>> Should I add code to enable the JIT compiler to libpcap while I'm at it?
>>>
>>>>>>> Should the Linux kernel folks enable it by default?
>>>
>>>>>>> I'm inclined to answer "yes" to all three questions.  I think the
>>>>>>> FreeBSD JIT compiler is enabled by default.  I'm surprised that the Linux one isn't.
>>>>>> I checked in the dumpcap code. I agree that it might be useful in
>>>>>> libpcap too, root privileges are required to change it I think.
>>>>>> and Yes
>>>
>>>>>>> I'm surprised that the Linux one isn't
>>>>>> Regards
>>>>>> Anders