[Snort-users] Re: [Snort-users] CPU usage grow to max

Alessandro Fiorenzi a.iorenzi at ...2470...
Tue Jan 29 23:45:02 EST 2002


> What output modes are you using?
> 
>     -Marty


I am using output on mysql, and syslog. 
with top I have this:

  9:01am  up 10 days, 23:17,  1 user,  load average: 0.87, 0.74, 0.55
44 processes: 41 sleeping, 3 running, 0 zombie, 0 stopped
CPU0 states: 98.0% user,  1.0% system,  0.0% nice,  0.0% idle
CPU1 states:  0.1% user,  0.0% system,  0.0% nice, 99.0% idle
Mem:   255152K av,  251832K used,    3320K free,       0K shrd,   29460K
buff
Swap:  128480K av,    1636K used,  126844K free                  124632K
cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
 1050 root      16   0  6996 6996  1152 R    99.6  2.7  7426m snort
18693 admin     10   0  1076 1076   864 R     1.9  0.4   0:00 top
    1 root       8   0   544  544   472 S     0.0  0.2   0:04 init
    2 root       8   0     0    0     0 SW    0.0  0.0   0:00 keventd
    3 root       9   0     0    0     0 SW    0.0  0.0   0:03 kswapd
    4 root       9   0     0    0     0 SW    0.0  0.0   0:00 kreclaimd
    5 root       9   0     0    0     0 SW    0.0  0.0   0:00 bdflush
    6 root       9   0     0    0     0 SW    0.0  0.0   0:00 kupdated
    7 root      -1 -20     0    0     0 SW<   0.0  0.0   0:00 mdrecoveryd
  609 root       9   0   588  588   488 S     0.0  0.2   0:15 syslog



and with vmstat I have the following:


[admin at ...4731... admin]$ vmstat 1
   procs                      memory    swap          io     system    
    cpu
 r  b  w   swpd   free   buff  cache  si  so    bi    bo   in    cs  us
 sy  id
 1  0  0   1636   3408  29472 124652   0   0     0     0   16     2   1
  1   8
 1  0  0   1636   3412  29472 124652   0   0     0     0  713   162  37
  1  62
 1  0  0   1636   3404  29472 124652   0   0     0     0  775   137  42
  0  58
 0  0  0   1636   3404  29472 124652   0   0     0     0  781   290  38
  0  62
 1  0  0   1636   3412  29472 124652   0   0     0     0  895   222  38
  2  60
 1  0  0   1636   3412  29472 124652   0   0     0     0  952    90  46
  0  54
 0  0  0   1636   3404  29472 124652   0   0     0     0  740   233  34
  0  66
 1  0  0   1636   3412  29472 124652   0   0     0     4  801   305  36
  2  62
 0  0  0   1636   3404  29472 124652   0   0     0     1  872   106  44
  0  56
 1  0  0   1636   3412  29472 124652   0   0     0     0 1142    12  50
  0  50
 1  0  0   1636   3412  29472 124652   0   0     0     0  991     8  49
  1  50
 1  0  0   1636   3412  29472 124652   0   0     0     0 1001     8  50
  0  50
 1  0  0   1636   3412  29472 124652   0   0     0     0  854   194  40
  1  58
 1  0  0   1636   3412  29472 124652   0   0     0     0  797    88  44
  0  56
 1  0  0   1636   3412  29472 124652   0   0     0     0  823    82  42
  0  58
 1  0  0   1636   3412  29472 124652   0   0     0     0  761   256  36
  0  64
 1  0  0   1636   3404  29472 124652   0   0     0     0  840   225  39
  0  61
 1  0  0   1636   3412  29472 124652   0   0     0     8  727   297  35
  0  65
 1  0  0   1636   3412  29472 124652   0   0     0     0 1161    46  49
  0  51
 1  0  0   1636   3412  29472 124652   0   0     0     0 1066    26  49
  0  51


So I have no I/O problem but cpu usage problem, bandwith is 16Mbit with
an usage of 8-12Mbit. 


rtin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> 














> 
> On 1/29/02 12:11 PM, "Alessandro Fiorenzi" <a.iorenzi at ...2470...> wrote:
> 
> > Hi, I have installed a snort sensor on a Pentium III 733MHz to monitor 3
> > C class traffic, but I see everytime cpu usage 100% is it possible?
> > On this machine I have two processor but snort use only one processor,
> > is there any way to use two processor?


More information about the Snort-users mailing list