Bug #2819
closed
Unconstrained memory growth of tcpdump
0%
Description
The following process seems to grow in an unconstrained fashion:
/usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog0
Observed over the past 6 months of running 2.1 snapshots. Currently running Feb 4th 2013 snapshot. See attached RRD graphs for evidence.
This seems to be associated with option "10) Filter Logs" in the console menu and function filter_pflog_start. It is started on boot and every time the filter reloads, so I assume it has to do with logging.
Of course users with embedded systems will be more sensitive to this, as noted in these forum posts:
[[http://forum.pfsense.org/index.php/topic,57424.0.html]]
[[http://forum.pfsense.org/index.php/topic,55441.0.html]]
Files
| pfsense_memory_growth2.png (55.6 KB) pfsense_memory_growth2.png | rrd memory graph - 1 month | ||
| pfsense_memory_growth.png (48.1 KB) pfsense_memory_growth.png | rrd memory graph - 1 week |
Updated by Jim Pingle about 11 years ago
- Priority changed from High to Normal
- Target version deleted (
2.1)
I thought there was already an open ticket for this here on redmine but I don't see it now.
That is for the filter log option, not the one from the console. It's what writes out /var/log/filter.log in the background.
This doesn't happen to everyone, and we've tried several times to track it down. It seems to depend somewhat on the volume/speed of packets being logged.
I added the -S to tcpdump a month or so ago to try alleviating the problem but if it still happens to you, then there must be something else going on.
Updated by Irving Popovetsky about 11 years ago
Hi Jim, I agree there must be something else happening. I'm happy to Guinea pig my home pfSense router, which exhibits this condition quite nicely. Average < 100 pps, and < 1Mbps.
I assume that the correct course of action is to generate a coredump of tcpdump once it has gotten large, and get that to you for analysis?
Updated by Irving Popovetsky about 11 years ago
Jim, I was able to reproduce the situation. 3 days after reboot, tcpdump process grew to 25 MB from 2.5 MB. I did a kill -6 and captured the core file.
Using "strings", I see that > 90% of the (printable) contents of the core file is lists of IP addresses and ports. So that tells me that tcpdump is holding on to some information about every connection.
Would you mind taking a look at the core file? Please let me know the easiest way for me to transfer it to you.
Thanks!
Updated by Chris Buechler about 11 years ago
can attach it here if it's under 5 MB gzipped/bzipped which it might be at that. otherwise can email it to me and I can get it to others, cmb at pfsense dot org
Updated by Jos van de Ven about 11 years ago
I was looking for the cause that there were no new events logged in my firewall log. It happened a few times that above process suddenly exits and in my logs appears: kernel: pflog0: promiscuous mode disabled.
When I look at the time this happens when a computer on the LAN awakes from sleep. Then I see a lot of blocked connectionsfrom this computer on the LAN side. I guess these are old connections that expired in the state table.
Maybe it is related to this bug. I can restart this process by editing an interface and press Save.
Updated by Chris Buechler over 9 years ago
- Status changed from New to Resolved
this hasn't happened in 2.1x and newer versions