[Snort-devel] Snort problems with low processor?

James Hoagland hoagland at ...60...
Wed Mar 20 08:29:03 EST 2002


Dear Agazzini,

I can't answer your original question, but I can clarify something here.

>This morning I saw the top... and... again... :(
>but I saw a very strange thing!
>
>load averages:  1.26,  1.28,  1.25 
>10:58:58
>46 processes:  2 running, 43 idle, 1 zombie
>CPU states: 82.2% user,  0.0% nice, 13.7% system,  3.6% interrupt,  0.5% idle
>Memory: Real: 16M/27M act/tot  Free: 2144K  Swap: 6432K/101M used/tot
>
>   PID USERNAME PRI NICE  SIZE   RES STATE WAIT     TIME    CPU COMMAND
>  1178 root      60    0 6492K 5604K run   -      563:04 85.45% snort
>
>as you can see the top recognize him as a USER program, and not as a 
>system program... when snort run corretly, it's on the SYSTEM part 
>and not user....

Actually, I don't believe your last part is correct.  In the context 
of the "CPU states" line (same thing if you run "time" on a program), 
user and system do not refer to who is running the program (the 
owning user).  Instead it is tracking the amount of time in the 
program itself and the amount of time in the kernal (e.g., responding 
to system calls from a program).  Snort does almost all of its work 
in user space (that is, within its own program confines), so what you 
show there looks fine.

Hope this helps,

   Jim

-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...60..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-devel mailing list