Snort mailing list archives
Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram?
From: Frank Knobbe <frank () knobbe us>
Date: Sun, 30 Jan 2011 17:55:18 -0600
On Sun, Jan 30, 2011 at 02:20:54PM -0500, Michael Scheidell wrote:
sysctl net.bpf.bufsize=536870912 net.bpf.bufsize: 4096 -> 536870912 sysctl net.bpf net.bpf.maxinsns: 512 net.bpf.maxbufsize: 1073741824 net.bpf.bufsize: 536870912 restart snort. so, I am still wondering if snort is using daq !that was fun. it just caused the system to reboot.
You're probably running out of kernel memory. Remember, each instance of a bpf program will suck up $bpf.bufsize of memory. Not sure what sort of KVA_PAGES setting is compiled in your kernel and what your vm.kmem_size and vm.kmem_size_max settings are. BTW: I found that any bpf size greater than 10 MB seems to be a waste of memory. At least in my setup, 10485760 for bufsiz and maxbufsiz seems plenty, with no dropped packets. Cheers, Frank ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 29)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Altizer (Jan 29)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Frank Knobbe (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Frank Knobbe (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Altizer (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Russ Combs (Jan 31)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 31)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Russ Combs (Jan 31)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Altizer (Feb 01)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Feb 01)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Altizer (Jan 29)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Altizer (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? List Subscriptions (Jan 30)