[Snort-users] Snort v2.6.0 (PCAP_FRAMES=max)

Stephen John Smoogen smooge at ...11827...
Tue Jun 6 16:59:41 EDT 2006


On 6/6/06, Harry Hoffman <hhoffman at ...10275...> wrote:
> Hi Ron,
>
> You'll most likely need to adjust the number to work with the packet
> capture size and amount of memory you have in the system.
>
>
> Try something like PCAP_FRAMES=32000 and see if that works for you.
>
> Phil Wood has some good docs on what all of the options mean and how to
> adjust them:
> http://public.lanl.gov/cpw/
>

Also make sure you have a library that can use that argument. I
debugged one issue where the machine had 3 libpcaps on it due to too
many cooks syndrome. It caused things to occur rather interesting
depending on what got used first.


> Hope this helps
>
> --Harry
>
> --
> Harry Hoffman
> Integrated Portable Solutions, LLC
> 877.846.5927 ext 1000
> http://www.ip-solutions.net/
>
>
> Ron Jenkins wrote:
> > I get the below error when tryp to use PCAP_FRAMES=max  .
> >
> >
> >
> > Initializing Network Interface eth1
> >
> > Error: setsockopt(PACKET_RX_RING): Cannot allocate memory
> >
> > ERROR: OpenPcap() device eth1 open:
> >
> >         malloc: Cannot allocate memory
> >
> > Fatal Error, Quitting..
> >
> >
> >
> > Below is the load line; any ideas?
> >
> >
> >
> > Thanks...
> >
> >
> >
> > PCAP_FRAMES=max  /usr/local/bin/snort -e -i eth1 -d -c
> > /etc/snort/snort.conf -l /var/log/snort --dynamic-preprocessor-lib-dir
> > /usr/local/lib/snort_dynamicpreprocessor/
> >
> >
> >
> >
> >
> >
> >
> > Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA)
> > Senior Architect
> > Data Integrity, LLC
> > "We Integrate People with Solutions"
> > 1724 Dallas Drive
> > Suite 11
> > Baton Rouge, La 70806
> > Office. 225.927.8030
> > Fax. 225.927.8033
> > Cell225.931.1632
> >
> > Email. rjenkins at ...12829...
> > Web. http://www.dibr.net
> >
> > (Aanval Reseller and Technology Partner)
> >
> > http://www.aanval.com/tour/dibr
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator




More information about the Snort-users mailing list