Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

packetbeat: use af_packet by default on linux #2048

Closed
wants to merge 1 commit into from

Conversation

urso
Copy link

@urso urso commented Jul 15, 2016

No description provided.

@urso urso force-pushed the enh/linux-afpacket-by-default branch from 0be8437 to 8d43ae2 Compare July 15, 2016 15:35
@andrewkroh
Copy link
Member

LGMT. This reminded me of #1376.

Is there anything in the docs that should be updated for this one?

@tsg
Copy link
Contributor

tsg commented Jul 17, 2016

This one is debatable, af_packet requires more memory + a kernel config option enabled at compile time (luckily on in most distros). I'm not sure it's a good idea to change the default.

@andrewkroh
Copy link
Member

Additionally there are two issues that we might see more occurrences of if we change to af_packet by default.

#522
#621

@urso
Copy link
Author

urso commented Jul 18, 2016

right, increased memory usage. Advantage, much less chance of packet-loss (libpcap based sniffer has hugher overhead).

@andrewkroh I'm not sure #522 is really an issue. af_packet requires to allocate memory in kernel-space, but if kernel can not allocate a big enough continuous space bad luck. #621 is more interesting. I remember reading about kernel bugs with TPACKET V3 (not sure about V2 anymore).

@tsg
Copy link
Contributor

tsg commented Jul 19, 2016

I'm not sure #522 is really an issue. af_packet requires to allocate memory in kernel-space, but if kernel can not allocate a big enough continuous space bad luck.

If I remember correctly that can happen when the memory is in disk caches as well, which can easily happen in normal operation. We'd probably need to drop the caches from the init script/systemd file if we are to make this the default, but we'd have to do that only for Packetbeat.

@tsg
Copy link
Contributor

tsg commented Jul 19, 2016

Or we could have Packetbeat itself do it only if it detects an allocation error. It might still be surprising for operators that we drop caches on Packetbeat start.

@urso
Copy link
Author

urso commented Jul 19, 2016

yeah, with packetbeat potentially installed on application servers flushing all caches on startup might be quite annoying.

Normally it shouldn't be much of a problem, as packetbeat should be started early on by init-scripts. But when installing and testing packetbeat, one might want to try running it in foreground.

@urso urso closed this Jul 19, 2016
@ruflin ruflin added the v6.5.0 label Aug 28, 2018
@urso urso deleted the enh/linux-afpacket-by-default branch February 19, 2019 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants