[Snort-devel] [Resend] pb 100% cpu with stream4 in snort 1.9.0build209...build230
rmkml at ...1042...
Thu Mar 6 12:27:22 EST 2003
ok thanks for your answers,
but it is possible you optimize ligne 670 ?
because if memcap is fill, snort use 100% cpu
during many seconds and drop pcap more packets (30% !)...
Erek Adams wrote:
> On Wed, 5 Mar 2003, rmkml wrote:
> > > You make it just give up in the "nothing timed out and we're still
> > > full case"
> > I don't understand your answer
> > can you explain what you mean ?
> > When memcap is fill,
> > snort (pcap) drop packets,
> > because cpu is 100% !
> > If comment ligne 670,
> > snort is not 100%,
> > then snort not drop packets !
> Ok, think of it like this. When the bucket gets full, snort takes the
> time to empty the bucket. Time taken to empty it == time taken away from
> sniffing packets. If you comment out that line of code, snort _never_
> tries to empty the bucket... And just like in real life when you try to
> put something into a bucket that's already full, it just spills over and
> never goes it. Since there is no check to see if it's full snort never
> knows this, and just keeps on sniffing packets.
> Remember, the bucket that we're talking about is stream4. If you don't
> care about streamj reassembly, then disable it. If you don't want to
> disable it, make a bigger bucket by adding more memory for stream4 to use.
> There's no problem here. It's _normal_ expected behavior, if you're on a
> fast pipe and stream4 fills up all it's memory.
> Erek Adams
> "When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-devel