Snort mailing list archives
Re: PCAP_MEMORY issue
From: Phil Wood <cpw () lanl gov>
Date: Wed, 25 Feb 2009 16:13:39 -0700
Good evening, Those of you on linux boxes might be interested in the explanation below regarding PCAP_MEMORY and the libpcap found at: http://public.lanl.gov/cpw Here is my current memory (from % top) after a reboot (no packet capture or other apps running): Mem: 16433092k total, 157808k used, 16275284k free, 11204k buffers Now I'll run a tcpdump: root@sensor01 ~]# export PCAP_MEMORY=max root@sensor01 ~]# PCAP_SNAPLEN=1514 /usr/local/bin/tcpdump -i eth2 -w /dev/null DEBUG, tring setup:block_size = 524288, block_nr = 8191, frame_size = 1584, frame_nr = 2703030, mem = 4.29444e+09 tcpdump: WARNING: snaplen raised from 68 to 1514 tcpdump: WARNING: eth2: no IPv4 address assigned tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 1514 bytes Top now shows: Mem: 16433092k total, 4209100k used, 12223992k free, 12460k buffers I'll break out now: 41010608 packets captured 41010608 packets received by filter 0 packets dropped by kernel If you have to use a large snapshot length (like for jumbo frames) then the number of packets you can get on the ring will go down a bunch. Also, the individual memory frames have to be on 2048 k boundaries (or more with larger sized packets). Basically, if PCAP_MEMORY=max doesn't work for you then you will have to use trial and error to find what works. I'm guessing that after a few restarts of a pcap based program, that the shared memory gets fragmented such that a request for a block of shared memory that worked after reboot may not work after some period of time. So, you should also start with a freshly booted system. A caveat on that is that if you have other memory intensive (relatively speaking) applications running on the machine your mileage will very. As in, strange things might happen if your system is memory starved. Let me know how it goes. On Wed, 2009-02-25 at 10:46 -0700, Jefferson, Shawn wrote:
Hi Phil, I’ve posted this to the snort-users list, but I thought I’d also ask you. I’m running your libpcap library with snort. Mem: 16433092k total, 2417096k used, 14015996k free, 475136k buffers
I’m using PCAP_MEMORY, and the highest I can seem to go is: PCAP_MEMORY=800000 If I try to increase it, I get error messages when snort is starting: Error: setsockopt(PACKET_RX_RING): Cannot allocate memory However, running top shows I’ve got 1.8 GB of memory left available on this machine. Is there something else I need to tweak to allow a higher amount of memory for libpcap? Do you have any ideas? Thanks, Shawn
-- C. Philip Wood, Int. D. Senior Member of the Internet Los Alamos National Laboratory Key fingerprint: 2BB7 A990 44F5 EF4B 4E35 8635 1205 97D3 F6D8 7F39 E-mail: cpw () lanl gov, cornett () arpa net Phone: 505 667-2598
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PCAP_MEMORY issue Jefferson, Shawn (Feb 24)
- Re: PCAP_MEMORY issue Stephen John Smoogen (Feb 26)
- Re: PCAP_MEMORY issue Jefferson, Shawn (Mar 03)
- <Possible follow-ups>
- Re: PCAP_MEMORY issue Phil Wood (Feb 25)
- Re: PCAP_MEMORY issue Stephen John Smoogen (Feb 26)