Re: PCAP_MEMORY issue

[Phil Wood <cpw () lanl gov>]

Good evening,

Those of you on linux boxes might be interested in the explanation below
regarding PCAP_MEMORY and the libpcap found at:
http://public.lanl.gov/cpw

Here is my current memory (from % top) after a reboot (no packet capture
or other apps running):

Mem:  16433092k total,   157808k used, 16275284k free,    11204k buffers

Now I'll run a tcpdump:

root@sensor01 ~]# export PCAP_MEMORY=max
root@sensor01 ~]# PCAP_SNAPLEN=1514 /usr/local/bin/tcpdump -i eth2 -w /dev/null 
DEBUG, tring setup:block_size = 524288, block_nr = 8191, frame_size = 1584, frame_nr = 2703030, mem = 4.29444e+09
tcpdump: WARNING: snaplen raised from 68 to 1514
tcpdump: WARNING: eth2: no IPv4 address assigned
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 1514 bytes

Top now shows:

Mem:  16433092k total,  4209100k used, 12223992k free,    12460k buffers

I'll break out now:

41010608 packets captured
41010608 packets received by filter
0 packets dropped by kernel

If you have to use a large snapshot length (like for jumbo frames) then
the number of packets you can get on the ring will go down a bunch.
Also, the individual memory frames have to be on 2048 k boundaries (or
more with larger sized packets). Basically, if PCAP_MEMORY=max doesn't
work for you then you will have to use trial and error to find what
works.

I'm guessing that after a few restarts of a pcap based program, that the
shared memory gets fragmented such that a request for a block of shared
memory that worked after reboot may not work after some period of time.
So, you should also start with a freshly booted system.  A caveat on
that is that if you have other memory intensive (relatively speaking)
applications running on the machine your mileage will very.  As in,
strange things might happen if your system is memory starved.

Let me know how it goes.

On Wed, 2009-02-25 at 10:46 -0700, Jefferson, Shawn wrote:
> Hi Phil,
>  
> I’ve posted this to the snort-users list, but I thought I’d also ask
> you.  I’m running your libpcap library with snort.
>  Mem:  16433092k total,  2417096k used, 14015996k free,   475136k
> buffers

> I’m using PCAP_MEMORY, and the highest I can seem to go is:
> PCAP_MEMORY=800000
>  
> If I try to increase it, I get error messages when snort is starting:
> Error: setsockopt(PACKET_RX_RING): Cannot allocate memory
>  
> However, running top shows I’ve got 1.8 GB of memory left available on
> this machine.  Is there something else I need to tweak to allow a
> higher amount of memory for libpcap?
>  
>  
> Do you have any ideas?
>  
> Thanks,
> Shawn
>  
-- 
C. Philip Wood, Int. D.
Senior Member of the Internet
Los Alamos National Laboratory
Key fingerprint: 2BB7 A990 44F5 EF4B 4E35  8635 1205 97D3 F6D8 7F39
E-mail: cpw () lanl gov, cornett () arpa net
Phone: 505 667-2598

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users