[Oisf-users] Suricata 2.0.7 fails to start

Victor Julien lists at inliniac.net
Tue Mar 3 19:52:27 UTC 2015 

On 03/03/2015 08:44 PM, Yasha Zislin wrote:
> Victor,
> 
> Thanks for quick response. Yes, I've reduced stream.prealloc-sessions
> and Suricata was able to start up.
> 
> It seems to me that we this reduction, I can have bigger packet loss
> which I am trying to prevent.
> It used to work just fine with previous versions.

It worked fine because of the bug I think :) Due to a race condition not
all of the threads actually respected the value from the yaml.

> Also, how can I calculate the highest value that I can use?

TcpSession structure is 192 bytes, PoolBucket 24. So it should be:

(192 + 24) * prealloc_sessions * number of threads = memory use in bytes

Cheers,
Victor



> 
> Thanks.
> 
>> Date: Tue, 3 Mar 2015 16:08:21 +0100
>> From: lists at inliniac.net
>> To: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suricata 2.0.7 fails to start
>>
>> On 03/03/2015 04:05 PM, Yasha Zislin wrote:
>> > I have downloaded the latest suricata and compiled it the same way as I
>> > have done before.
>> > Everything seems to be find until i try to start it.
>> > I get errors like these
>> > [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc error
>> > 3/3/2015 -- 09:33:29 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - pool
>> > grow failed
>> > 3/3/2015 -- 09:33:29 - <Info> - (RxPFReth219) Using PF_RING v.6.0.3,
>> > interface eth2, cluster-id 98
>> > 3/3/2015 -- 09:33:30 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc
>> > error
>> > 3/3/2015 -- 09:33:30 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - pool
>> > grow failed
>> > 3/3/2015 -- 09:33:30 - <Info> - (RxPFReth220) Using PF_RING v.6.0.3,
>> > interface eth2, cluster-id 98
>> > 3/3/2015 -- 09:33:30 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - alloc
>> > error
>> > 3/3/2015 -- 09:33:30 - <Error> - [ERRCODE: SC_ERR_POOL_INIT(66)] - pool
>> > grow failed
>> > 3/3/2015 -- 09:33:30 - <Info> - RunModeIdsPfringWorkers initialised
>> > 3/3/2015 -- 09:33:30 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] -
>> > thread "RxPFReth218" closed on initialization.
>> > 3/3/2015 -- 09:33:30 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] -
>> > Engine initialization failed, aborting...
>> >
>> > I have two interfaces with 20 threads for each. I am using latest
>> > PF_RING (which I usually recompile as well).
>> >
>> > These errors seem to be PF_RING related. Any ideas?
>>
>> This seems to be related to the fix for issue 1318
>> (https://redmine.openinfosecfoundation.org/issues/1318). Could you try
>> lowering your stream.prealloc-sessions setting?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list