[Snort-devel] [Resend] pb 100% cpu with stream4 in snort 1.9.0build209...build230

Erek Adams erek at ...835...
Thu Mar 6 06:12:07 EST 2003

On Wed, 5 Mar 2003, rmkml wrote:

> > You make it just give up in the "nothing timed out and we're still
> > full case"
> I don't understand your answer
> can you explain what you mean ?
> When memcap is fill,
> snort (pcap) drop packets,
> because cpu is 100% !
> If comment ligne 670,
> snort is not 100%,
> then snort not drop packets !


Ok, think of it like this.  When the bucket gets full, snort takes the
time to empty the bucket.  Time taken to empty it == time taken away from
sniffing packets.  If you comment out that line of code, snort _never_
tries to empty the bucket...  And just like in real life when you try to
put something into a bucket that's already full, it just spills over and
never goes it.  Since there is no check to see if it's full snort never
knows this, and just keeps on sniffing packets.

Remember, the bucket that we're talking about is stream4.  If you don't
care about streamj reassembly, then disable it.  If you don't want to
disable it, make a bigger bucket by adding more memory for stream4 to use.

There's no problem here.  It's _normal_ expected behavior, if you're on a
fast pipe and stream4 fills up all it's memory.

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-devel mailing list