[Oisf-devel] Mem leaks

Anoop Saldanha poonaatsoc at gmail.com
Fri Oct 14 07:20:06 UTC 2011 

On Thu, Oct 6, 2011 at 8:48 PM, Eric Leblond <eric at regit.org> wrote:
> Hello,
>
> On Thu, 2011-10-06 at 09:48 -0500, Martin Holste wrote:
>> Can someone explain the workers runmode?  How is it different from autofp?
>
> In workers mode, there is a family of threads and each threads does all
> the tasks from capture to logging.
>
> BR,
>>
>> On Thu, Oct 6, 2011 at 9:46 AM, Chris Wakelin <c.d.wakelin at reading.ac.uk> wrote:
>> > I was wondering whether Anoop's ac fixes (b7b580) might be the issue,
>> > but I'm not at all sure. It might be that my cores sizes are bigger
>> > anyway because I switched from b2g to ac. Getting them every time I
>> > killed suricata certainly brought their size to my attention :(
>> >
>> > I'll try the latest git master for a bit! Might even try runmode=worker :)
>> >
>> > Best Wishes,
>> > Chris
>> >
>> > On 06/10/11 15:32, Victor Julien wrote:
>> >> On 10/06/2011 04:30 PM, Martin Holste wrote:
>> >>> Yeah, maybe, but the baseline is almost double.  Do you want me to
>> >>> switch back to master for awhile?
>> >>
>> >> If you can, please. The bigger baseline is certainly unintentional, so
>> >> we'll look into that as well.
>> >>
>> >> Btw, I think Eric fixed the pfring shutdown thing as well in the updated
>> >> master.
>> >>
>> >> Cheers,
>> >> Victor
>> >>
>> >>> On Thu, Oct 6, 2011 at 9:25 AM, Victor Julien <victor at inliniac.net> wrote:
>> >>>> So could it be that the master just has a higher baseline but stops
>> >>>> growing at some point as well? The higher baseline might be explained by
>> >>>> some AC pattern matcher updates.
>> >>>>
>> >>>> On 10/06/2011 02:59 AM, Martin Holste wrote:
>> >>>>> bc5, still no leaks.
>> >>>>>
>> >>>>> On Wed, Oct 5, 2011 at 7:54 PM, Victor Julien <victor at inliniac.net> wrote:
>> >>>>>> On 10/05/2011 11:41 PM, Martin Holste wrote:
>> >>>>>>> Seems to be no leaks thus far after 4 hours.
>> >>>>>>
>> >>>>>> So what git ref is it you are running now exactly? Lost track.
>> >>>>>>
>> >
>> > --
>> > --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> > Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
>> > IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
>> > Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094
>> > _______________________________________________
>> > Oisf-devel mailing
>> > Oisf-devel at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> >
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
> --
> Eric Leblond
> Blog: http://home.regit.org/
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>

Coming to the memory usage, ac changes might be the reason behind the
mem increase(not a leak).  I have changed all u16 buffers to u32 and
so on.  The usage increase might look bigger when ac-full is used,
although with ac-single it should be pretty okay.  Btw you should see
much better perf(around 15%-20%).  How big's your ruleset btw?

-- 
Anoop Saldanha

More information about the Oisf-devel mailing list