[Snort-users] PCAP_MEMORY issue

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Mar 3 12:29:42 EST 2009


Hi,

Tasks:  74 total,   2 running,  72 sleeping,   0 stopped,   0 zombie
Cpu(s): 14.6%us,  0.4%sy,  0.0%ni, 83.4%id,  0.0%wa,  0.0%hi,  1.5%si,  0.0%st
Mem:   3115832k total,  1349952k used,  1765880k free,     9468k buffers
Swap:  2939852k total,        0k used,  2939852k free,   137108k cached

Linux <servername> 2.6.24-23-server #1 SMP Mon Jan 26 00:55:21 UTC 2009 i686 GNU/Linux

Ubuntu 8.04, which I think has slab (??).  I googled some on memory fragmentation, and found some commands to check for memory fragmentation, but I'm not totally sure what I'm looking at.

root at ...14530...:~# vmstat -s
      3115832 K total memory
      1343616 K used memory
       397572 K active memory
        68328 K inactive memory
      1772216 K free memory
         8872 K buffer memory
       131760 K swap cache
      2939852 K total swap
            0 K used swap
      2939852 K free swap
     18577114 non-nice user cpu ticks
            0 nice user cpu ticks
       473536 system cpu ticks
    185481446 idle cpu ticks
       134474 IO-wait cpu ticks
       144290 IRQ cpu ticks
       358175 softirq cpu ticks
            0 stolen cpu ticks
       670958 pages paged in
     31155560 pages paged out
            0 pages swapped in
            0 pages swapped out
   1751057950 interrupts
   1437711074 CPU context switches
   1235604996 boot time
        25810 forks

root at ...14530...:~# grep Normal /var/log/messages | tail -1
Mar  3 09:19:04 servername kernel: [495516.650157] Normal: 651*4kB 5*8kB 1*16kB 1*32kB 1*64kB 1*128kB 1*256kB 1*512kB 1*1024kB 0*2048kB 0*4096kB = 4676kB

I only have 3GB total memory in this machine at the moment.

-----Original Message-----
From: Stephen John Smoogen [mailto:smooge at ...11827...] 
Sent: February 26, 2009 12:27 PM
To: Jefferson, Shawn
Cc: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] PCAP_MEMORY issue

On Tue, Feb 24, 2009 at 1:49 PM, Jefferson, Shawn
<Shawn.Jefferson at ...14448...> wrote:
> I'm using PCAP_MEMORY, and the highest I can seem to go is:
> PCAP_MEMORY=800000
>
> If I try to increase it, I get error messages when snort is starting:
> Error: setsockopt(PACKET_RX_RING): Cannot allocate memory
>
> However, running top shows I've got 1.8 GB of memory left available on this
> machine.  Is there something else I need to tweak to allow a higher amount
> of memory for libpcap?
>
> PS. I'm using Phil Wood's libpcap.
>

What is the system stats? CPU, kernel version, total memory, and does
the system have slab, slub, or some other memory allocation in use? [I
don't know how to tell this myself.. my systems are old enough to only
have slab.. but the new kernels would have access to different memory
allocations.] My guess is that one of the following is occuring:

Not enough continguous memory.
Contiguous Memory is not in a directly mappable zone. (If you have a
4+GB machine and you are trying to do this on a 32 bit architecture)

-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"




More information about the Snort-users mailing list