Project

General

Profile

Actions

Bug #2819

closed

Unconstrained memory growth of tcpdump

Added by Irving Popovetsky almost 12 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Operating System
Target version:
-
Start date:
02/15/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

The following process seems to grow in an unconstrained fashion:

/usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0

Observed over the past 6 months of running 2.1 snapshots. Currently running Feb 4th 2013 snapshot. See attached RRD graphs for evidence.

This seems to be associated with option "10) Filter Logs" in the console menu and function filter_pflog_start. It is started on boot and every time the filter reloads, so I assume it has to do with logging.

Of course users with embedded systems will be more sensitive to this, as noted in these forum posts:
[[http://forum.pfsense.org/index.php/topic,57424.0.html]]
[[http://forum.pfsense.org/index.php/topic,55441.0.html]]


Files

pfsense_memory_growth2.png (55.6 KB) pfsense_memory_growth2.png rrd memory graph - 1 month Irving Popovetsky, 02/15/2013 12:06 PM
pfsense_memory_growth.png (48.1 KB) pfsense_memory_growth.png rrd memory graph - 1 week Irving Popovetsky, 02/15/2013 12:06 PM
Actions #1

Updated by Jim Pingle almost 12 years ago

  • Priority changed from High to Normal
  • Target version deleted (2.1)

I thought there was already an open ticket for this here on redmine but I don't see it now.

That is for the filter log option, not the one from the console. It's what writes out /var/log/filter.log in the background.

This doesn't happen to everyone, and we've tried several times to track it down. It seems to depend somewhat on the volume/speed of packets being logged.

I added the -S to tcpdump a month or so ago to try alleviating the problem but if it still happens to you, then there must be something else going on.

Actions #2

Updated by Irving Popovetsky almost 12 years ago

Hi Jim, I agree there must be something else happening. I'm happy to Guinea pig my home pfSense router, which exhibits this condition quite nicely. Average < 100 pps, and < 1Mbps.

I assume that the correct course of action is to generate a coredump of tcpdump once it has gotten large, and get that to you for analysis?

Actions #3

Updated by Irving Popovetsky almost 12 years ago

Jim, I was able to reproduce the situation. 3 days after reboot, tcpdump process grew to 25 MB from 2.5 MB. I did a kill -6 and captured the core file.

Using "strings", I see that > 90% of the (printable) contents of the core file is lists of IP addresses and ports. So that tells me that tcpdump is holding on to some information about every connection.

Would you mind taking a look at the core file? Please let me know the easiest way for me to transfer it to you.

Thanks!

Actions #4

Updated by Chris Buechler almost 12 years ago

can attach it here if it's under 5 MB gzipped/bzipped which it might be at that. otherwise can email it to me and I can get it to others, cmb at pfsense dot org

Actions #5

Updated by Jos van de Ven over 11 years ago

I was looking for the cause that there were no new events logged in my firewall log. It happened a few times that above process suddenly exits and in my logs appears: kernel: pflog0: promiscuous mode disabled.
When I look at the time this happens when a computer on the LAN awakes from sleep. Then I see a lot of blocked connectionsfrom this computer on the LAN side. I guess these are old connections that expired in the state table.
Maybe it is related to this bug. I can restart this process by editing an interface and press Save.

Actions #6

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Resolved

this hasn't happened in 2.1x and newer versions

Actions

Also available in: Atom PDF