[Oisf-users] FlowManagerThread idle CPU usage

Peter Manev petermanev at gmail.com
Sun Mar 27 10:21:10 UTC 2016 

On Mon, Mar 21, 2016 at 5:15 PM,  <elof2 at sentor.se> wrote:
>
> Ok.
>
> It feels a bit steep to constantly draw 2-3% CPU doing nothing at all. :)
>
> ...especially since my hash table has never been filled with any flows in
> the first place.
> The sensor is just booted and idling. It has seen a total of 0 packets.

You can divide the prealloc flows by 2 and give it a try.
However I think if you are "idling" most of the time there is no need
to preallocate 1 million flows.

>
> Perhaps you can shave off a couple of CPU cycles here if the collector can
> be made a little smarter? :)

Perhaps...
Any suggestions in particular ? :)

>
> /Elof
>
>
>
> On Mon, 21 Mar 2016, Victor Julien wrote:
>
>> On 21-03-16 12:05, elof2 at sentor.se wrote:
>>>
>>> Should the FlowManagerThread in Suricata really use CPU resources when
>>> there are zero captures packets?
>>>
>>> My sensor is completely silent (zero packets on ix1), but 'top -PSHz'
>>> show a constant CPU utilization of 2.69% for the FlowManagerThread.
>>>
>>>
>>> The box itself is idling. No traffic in or out. No SPAN is sent to it.
>>> So there's just a suricata running, doing nothing.
>>> Yet, it constantly consumes ~2.7% of one CPU.
>>
>>
>> This is expected. The flow manager thread is basically a garbage
>> collector walking a hash table on a interval. The cpu time is related to
>> the flow hash table size. If there are many flows it will take more CPU,
>> but it will take some even if the hash is (virtually) empty.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list