-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packetbeat: use af_packet by default on linux #2048
Conversation
0be8437
to
8d43ae2
Compare
LGMT. This reminded me of #1376. Is there anything in the docs that should be updated for this one? |
This one is debatable, af_packet requires more memory + a kernel config option enabled at compile time (luckily on in most distros). I'm not sure it's a good idea to change the default. |
right, increased memory usage. Advantage, much less chance of packet-loss (libpcap based sniffer has hugher overhead). @andrewkroh I'm not sure #522 is really an issue. af_packet requires to allocate memory in kernel-space, but if kernel can not allocate a big enough continuous space bad luck. #621 is more interesting. I remember reading about kernel bugs with TPACKET V3 (not sure about V2 anymore). |
If I remember correctly that can happen when the memory is in disk caches as well, which can easily happen in normal operation. We'd probably need to drop the caches from the init script/systemd file if we are to make this the default, but we'd have to do that only for Packetbeat. |
Or we could have Packetbeat itself do it only if it detects an allocation error. It might still be surprising for operators that we drop caches on Packetbeat start. |
yeah, with packetbeat potentially installed on application servers flushing all caches on startup might be quite annoying. Normally it shouldn't be much of a problem, as packetbeat should be started early on by init-scripts. But when installing and testing packetbeat, one might want to try running it in foreground. |
No description provided.