mcholste at ...11827...
Sat Jul 23 01:18:53 EDT 2011
Ring buffer memory is only a buffer, and a buffer will eventually fail
if the CPU cannot keep up the traffic. No matter how large the
buffer, eventually it will run out because it's in a losing game. A
large buffer just buys you a few seconds before the packet loss. One
thing a lot of RAM will get you is the ability to run ac for your
pattern matching engine instead of ac-split. That will increase
performance and might let your CPU keep up.
> 1. When I start with the variables (which I have been using for a year with no problem) I get no packet loss. However the snort process just "disappears/stops after 24 hours" with no logs as to why.
Sounds like a cron job is killing it.
> 2. When I start without the variables Snort is stable but I get an average of 25% packet loss.
As I understand it, PF_RING won't use those variables anyway. To get
a look, cat /proc/net/pf_ring/<file for snort pid> which should give
you the best numbers.
> Again I have 12GB of memory on this R710. I can't image why its running out of memory. And the fact that its been running fine for a year is what's killing me. It has to be a rule causing this.
> 7/18/2011 9:33 AM : snort: FATAL ERROR: Can't start DAQ (-1) can't mmap rx ring: Cannot allocate memory!
> PCAP_MEMORY=6120 PCAP_FRAMES=65535 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D
I don't think it's actually running out of memory or can't allocate
it, I think it's a different problem. What are your daq config
More information about the Snort-users