Af_packet error on RHEL

Marcbilger · December 16, 2015, 7:22am

Hi,

First, I'd like to thank you for the great job you're providing !

Here is my use case :
I want to get DNS data into ELK (huge amount of packets/ sec).
Packetbeat is installed on a dedicated server.

I installed Packetbeat (1.0.0 rpm for RHEL install)

Here is the RHEL release version:

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)

my packetbeat.yml

> interfaces:

>  device:  eth1

>   with_vlans: true

> protocols:

>   dns:

>     ports: [53]

>    
> include_authorities: true

>    
> include_additionals: true

> output:

>  logstash:

>     hosts: ["localhost:5044"]

>     worker: 2

When trying the af_packet type in packetbeat.yml, I get the following error:

2015-12-15T14:27:59+01:00 CRIT Initializing sniffer failed:
Error creating sniffer: setsockopt packet_rx_ring: cannot allocate memory

I'm not a linux specialist, so please could you advise?

best regards.

tudor · December 16, 2015, 9:36am

Can you try dropping the caches, please:

 echo 3 > /proc/sys/vm/drop_caches

And check (e.g. with free) that you have at least 100 MB or so free. The af_packet mode needs to allocate the whole buffer at startup.

Marcbilger · December 16, 2015, 9:56am

Thx for the answer,
performed. but I got the same CRIT error.
Here is the free output.

free -h
total used free shared buffers cached
Mem: 2.0G 448M 1.5G 4K 44M 41M
-/+ buffers/cache: 362M 1.6G
Swap: 1.0G 104M 919M

regards,

Topic		Replies	Views
Packetbeat, af_packet and Linux 2.6 Beats packetbeat	8	2679	August 28, 2017
WARN Invalid response: Data too small to contain a valid length Beats packetbeat	8	1505	August 4, 2017
Auditbeat service is not starting in Centos Beats auditbeat	1	325	February 25, 2021
Missing packets of packetbeat? Beats	7	1401	February 8, 2018
Performance of Packetbeat? Beats packetbeat	2	1571	February 20, 2018

Af_packet error on RHEL

Related topics