Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram?

From: Frank Knobbe <frank () knobbe us>
Date: Sun, 30 Jan 2011 17:55:18 -0600
On Sun, Jan 30, 2011 at 02:20:54PM -0500, Michael Scheidell wrote:

sysctl net.bpf.bufsize=536870912
net.bpf.bufsize: 4096 -> 536870912
sysctl net.bpf
net.bpf.maxinsns: 512
net.bpf.maxbufsize: 1073741824
net.bpf.bufsize: 536870912

restart snort.
so, I am still wondering if snort is using daq !



that was fun.  it just caused the system to reboot.



You're probably running out of kernel memory. Remember, each instance of a 
bpf program will suck up $bpf.bufsize of memory. Not sure what sort of
KVA_PAGES setting is compiled in your kernel and what your vm.kmem_size and
vm.kmem_size_max settings are.

BTW: I found that any bpf size greater than 10 MB seems to be a waste of
memory. At least in my setup, 10485760 for bufsiz and maxbufsiz seems
plenty, with no dropped packets.

Cheers,
Frank


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: