Af_packet error on RHEL



First, I'd like to thank you for the great job you're providing !

Here is my use case :
I want to get DNS data into ELK (huge amount of packets/ sec).
Packetbeat is installed on a dedicated server.

I installed Packetbeat (1.0.0 rpm for RHEL install)

Here is the RHEL release version:

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)

my packetbeat.yml

> interfaces:

>  device:  eth1

>   with_vlans: true

> protocols:

>   dns:

>     ports: [53]

> include_authorities: true

> include_additionals: true

> output:

>  logstash:

>     hosts: ["localhost:5044"]

>     worker: 2

When trying the af_packet type in packetbeat.yml, I get the following error:

2015-12-15T14:27:59+01:00 CRIT Initializing sniffer failed:
Error creating sniffer: setsockopt packet_rx_ring: cannot allocate memory

I'm not a linux specialist, so please could you advise?

best regards.

(Tudor Golubenco) #2

Can you try dropping the caches, please:

 echo 3 > /proc/sys/vm/drop_caches

And check (e.g. with free) that you have at least 100 MB or so free. The af_packet mode needs to allocate the whole buffer at startup.


Thx for the answer,
performed. but I got the same CRIT error.
Here is the free output.

free -h
total used free shared buffers cached
Mem: 2.0G 448M 1.5G 4K 44M 41M
-/+ buffers/cache: 362M 1.6G
Swap: 1.0G 104M 919M


(system) #4