[Snort-devel] [Resend] pb 100% cpu with stream4 in snort 1.9.0build209...build230

rmkml rmkml at ...1042...
Thu Mar 6 12:27:22 EST 2003


ok thanks for your answers,
but it is possible you optimize ligne 670 ?
because if memcap is fill, snort use 100% cpu
during many seconds and drop pcap more packets (30% !)...



Erek Adams wrote:

> On Wed, 5 Mar 2003, rmkml wrote:
>
> > > You make it just give up in the "nothing timed out and we're still
> > > full case"
> >
> > I don't understand your answer
> > can you explain what you mean ?
> >
> > When memcap is fill,
> > snort (pcap) drop packets,
> > because cpu is 100% !
> > If comment ligne 670,
> > snort is not 100%,
> > then snort not drop packets !
>
> *sigh*
>
> Ok, think of it like this.  When the bucket gets full, snort takes the
> time to empty the bucket.  Time taken to empty it == time taken away from
> sniffing packets.  If you comment out that line of code, snort _never_
> tries to empty the bucket...  And just like in real life when you try to
> put something into a bucket that's already full, it just spills over and
> never goes it.  Since there is no check to see if it's full snort never
> knows this, and just keeps on sniffing packets.
>
> Remember, the bucket that we're talking about is stream4.  If you don't
> care about streamj reassembly, then disable it.  If you don't want to
> disable it, make a bigger bucket by adding more memory for stream4 to use.
>
> There's no problem here.  It's _normal_ expected behavior, if you're on a
> fast pipe and stream4 fills up all it's memory.
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson





More information about the Snort-devel mailing list