[Winpcap-users] On win32, how to increase kernel buffer size more than 128

Gianluca Varenni gianluca.varenni at cacetech.com
Fri Nov 20 10:05:00 PST 2009

128MB is basically a hard limit of the windows kernel on 32 bit machines (it's actually a bit higher than that). There is nothing you can do to change it. 

However, let's step back for one second. Increasing the kernel buffer size helps only in some very limited situations i.e. when you average traffic rate is pretty low, you have some short term spikes of traffic, and your application is not able to cope with these sudden spikes in a timely fashion. Increasing the kernel buffer size will help because the packets of the spike will be stored in the buffer while your application slowly processes them. It's my understanding that in your case you average traffic rate is just higher (250Mbps). In this case, increasing the kernel buffer size will not help. It will just delay the instant when you will start dropping packets (e.g. after 10 seconds from the beginning of the capture instead of 1second). In this case you need to understand why you are losing packets:


- is your application too slow to process the packets?

- are you dumping to disk? In this case, the disk can definitely be a bottleneck.


Hope it helps


  ----- Original Message ----- 
  From: Santosh Karankoti 
  To: winpcap-users at winpcap.org 
  Sent: Friday, November 20, 2009 7:54 AM
  Subject: [Winpcap-users] On win32,how to increase kernel buffer size more than 128



  My machine windows XP (win32) gets the voice traffic of more than 250 Mbps at NIC from a switch. Basically, my NIC was at 100 Mbps and the port on the switch is also the same. I am developing an app to use winpcap lib to read packets from my NIC and write it to file. I also ran parallel wireshark to check performance of my app. When my app and wireshark running both at a time on my machine, I could clearly see that the packets were getting lost. This was at the time when the traffic was 100 Mbps. When my app was trying to read 100 Mbps packets rate I could clearly see that not all the packets were read and most of the packets were lost by my app but in wireshark I could see all the packets in sequence, thought the limit of 100 Mbps is reached, I increased the link to be 1Gig at switch port and my NIC. Now the 100 Mbps is ok. 


  I increased the load to receive 150 Mbps, which almost was very equal to the wireshark capturing, was fine there. When I jumped to 200 Mbps and (max) 250 Mbps traffic. 

  Here I again encountered the packets are getting lost. Now this time when I compared with wireshark, there I could see clearly that it did not had some of the sequence packets and it did not mention or say that the packet segmentation lost. 


  Might be that the packets are genuinely lost at the switch or the winpcap library kernel buffer is getting overflown at this limit. At the switch the port is 1Gig bit, seems like no issue from the switch port. Found that the winpcap has limit of 128 MB kernel buffer size in the 32 bit. I ran the same in the 64 bit machine, got the same issue there also. But its limit there seems to be 128 GB. Not sure whether these values are correct or not. 


  My next alternate is to try increasing the winpcap kernel buffer size for 32 bit. I don't want to try new things with 64 bit machine. I saw some thread to use 


  BOOLEAN PacketSetBuff(LPADAPTER AdapterObject, int dim) function.


  But where I can I find complete details of where can I find this function in which file of Winpcap file and details of the library name, file name, dll name. FYI, my app uses v4.0.2 winpcap. A quick response with some helpful stuff is appreciable.







  Winpcap-users mailing list
  Winpcap-users at winpcap.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20091120/a55f87bb/attachment.htm 

More information about the Winpcap-users mailing list