[Snort-users] PCAP_MEMORY issue

Phil Wood cpw at ...440...
Wed Feb 25 18:13:39 EST 2009

Good evening,

Those of you on linux boxes might be interested in the explanation below
regarding PCAP_MEMORY and the libpcap found at:

Here is my current memory (from % top) after a reboot (no packet capture
or other apps running):

Mem:  16433092k total,   157808k used, 16275284k free,    11204k buffers

Now I'll run a tcpdump:

root at ...14526... ~]# export PCAP_MEMORY=max
root at ...14526... ~]# PCAP_SNAPLEN=1514 /usr/local/bin/tcpdump -i eth2 -w /dev/null 
DEBUG, tring setup:block_size = 524288, block_nr = 8191, frame_size = 1584, frame_nr = 2703030, mem = 4.29444e+09
tcpdump: WARNING: snaplen raised from 68 to 1514
tcpdump: WARNING: eth2: no IPv4 address assigned
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 1514 bytes

Top now shows:

Mem:  16433092k total,  4209100k used, 12223992k free,    12460k buffers

I'll break out now:

41010608 packets captured
41010608 packets received by filter
0 packets dropped by kernel

If you have to use a large snapshot length (like for jumbo frames) then
the number of packets you can get on the ring will go down a bunch.
Also, the individual memory frames have to be on 2048 k boundaries (or
more with larger sized packets). Basically, if PCAP_MEMORY=max doesn't
work for you then you will have to use trial and error to find what

I'm guessing that after a few restarts of a pcap based program, that the
shared memory gets fragmented such that a request for a block of shared
memory that worked after reboot may not work after some period of time.
So, you should also start with a freshly booted system.  A caveat on
that is that if you have other memory intensive (relatively speaking)
applications running on the machine your mileage will very.  As in,
strange things might happen if your system is memory starved.

Let me know how it goes.

On Wed, 2009-02-25 at 10:46 -0700, Jefferson, Shawn wrote:
> Hi Phil,
> I’ve posted this to the snort-users list, but I thought I’d also ask
> you.  I’m running your libpcap library with snort.
>  Mem:  16433092k total,  2417096k used, 14015996k free,   475136k
> buffers

> I’m using PCAP_MEMORY, and the highest I can seem to go is:
> PCAP_MEMORY=800000
> If I try to increase it, I get error messages when snort is starting:
> Error: setsockopt(PACKET_RX_RING): Cannot allocate memory
> However, running top shows I’ve got 1.8 GB of memory left available on
> this machine.  Is there something else I need to tweak to allow a
> higher amount of memory for libpcap?
> Do you have any ideas?
> Thanks,
> Shawn
C. Philip Wood, Int. D.
Senior Member of the Internet
Los Alamos National Laboratory
Key fingerprint: 2BB7 A990 44F5 EF4B 4E35  8635 1205 97D3 F6D8 7F39
E-mail: cpw at ...440..., cornett at ...1649...
Phone: 505 667-2598
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090225/5571e461/attachment.sig>

More information about the Snort-users mailing list