OpenBSD Journal

[Ask OBSDJ] Running low on /dev/bpf's

Contributed by Dengue on from the nessus'ing dept.

Tom Helmer Hansen writes :
"I'm using OpenBSD as audit platform. When doing larger Nessus scans the system quickly runs low on available bpf devices. If you are running Nessus yourself consult the "/usr/local/var/nessus/logs/nessusd.dump" logfile to check if there's any line with pcap.c complaining about "No free bpf".

My solution was to make a kernel with support for more bpf devices. I altered the config to:

   pseudo-device   bpfilter 50
and ran this perl script creating the devices:

#!/usr/bin/perl
# Asume user being root/wheel and umask being 022 
for ($i=11;$i
<49;$i++) {
    system("mknod bpf$i c 23 $i");
    system("chmod o-r,g-r bpf$i");}
 }
 
Of course there's no guarantee Nessus won't run low again. Nessus should be configured to run the scans with a parallelism low enough to keep it from running low on bpf's.

Is this the proper way to do this?

Regards, Tom"

(Comments are closed)


Comments
  1. By don't ask! () on

    Well, that's not the proper way! This job should actually be done by a shell-script.

  2. By Dave Diehl () dave@chezmou.org on mailto:dave@chezmou.org

    What you did will work, but may not be a great idea. Each active BPF device represents an additional filter each network packet will run through _in the kernel_. Remember that kernel processing is not threaded. If you add a large amount of kernel processing in this way, you significantly increase your chances of livelocking your box in the kernel. If you really need that many filters, using multiple boxes or userland processing is a more managable solution.

  3. By Brad Smith () brad@comstyle.com on mailto:brad@comstyle.com

    No, there is an easier way to change the number of bpf devices that does not require recompiling the kernel. This also works for sl, tun, bridge, vlan, gre and gif interfaces.

    This requires 3.0 and up.

    root@ss5# config -ef /bsd
    OpenBSD 3.0-current (GENERIC_SCSI3) #0: Sun Jan 20 20:13:31 EST 2002
    brad@ss5:/usr/src/src/sys/arch/sparc/compile/GENERIC_SCSI3
    Enter 'help' for information
    ukc> change bpf
    132 bpfilter count 8 (pseudo device)
    change [n] y
    count [8] ? 12
    132 bpfilter changed
    132 bpfilter count 12 (pseudo device)
    ukc> quit
    Saving modified kernel.

    Then reboot and add the device files.

  4. By Andy () on

    Being new relatively new to OpenBSD, what are bpf (Berkeley Packet Filter) used for?

  5. By John Benninghoff () john.benninghoff@rbcdain.com on mailto:john.benninghoff@rbcdain.com

    I also use nessus on OBSD, and ran into the same problems you did. AFAIK, adding more bpf is the only option, and is specifically mentioned in the nessus-core README_BSD.

    Since I run nessus from a fairly fast system, I boosted the max threads to 64. To support this in the kernel, I increased the number of bpfs to 128. Since each thread shouldn't ever use more than one bpf, this is more than enough.

    However, I also found that nessus uses one pseudo-terminal per thread when running nmap, so I also needed to increase the pty count (to 128).

    To create the devices, I just added the following to the MAKEDEV shell script, just before all):

    nessus)
    sh $this bpf10 bpf11 bpf12 bpf13 bpf14 bpf15 bpf16 bpf17 bpf18 bpf19
    sh $this bpf20 bpf21 bpf22 bpf23 bpf24 bpf25 bpf26 bpf27 bpf28 bpf29
    sh $this pty2 pty3 pty4
    ;;


    Just ./MAKEDEV nessus to create all the needed devices.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]