[Zeek] Large af_packet buffer size == missing logs
Mark Gardner
mkg at vt.edu
Tue May 7 06:32:52 PDT 2019
In an effort to reduce capture loss, the af_packet buffer size was
increased from the default to 2GB in node.cfg using
"af_packet_buffer_size=2*1024*1024*1024". The capture loss afterwards was
zero but many of the other logs also went missing, including conn.log.
Going to 1GB with "af_packet_buffer_size=1*1024*1024*1024" and the missing
logs started being collected again. The capture loss, while better, was
still up to 10%.
Choosing the middle with 1.5GB via "af_packet_buffer_size=1536*1024*1024"
(seems it has to be integer calculations) and several of the logs including
conn.log went missing again.
The sensors all have 128 GB RAM for only 15 workers so memory should not be
an issue. But it seems something goes wrong while trying to utilize the
wealth of RAM.
Any idea what I am doing wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190507/c8645f9d/attachment.html
More information about the Zeek
mailing list