[Oisf-devel] suricata memory consumption not follow down after http test stoped.
Delta Yeh
delta.yeh at gmail.com
Wed Sep 14 09:04:40 UTC 2011
The flow settings I use is
max-pending-packets: 400
flow-timeouts:
default:
new: 10
established: 20
closed: 10
emergency_new: 10
emergency_established: 10
emergency_closed: 0
tcp:
new: 10
established: 20
closed: 10
emergency_new: 10
emergency_established: 10
emergency_closed: 20
I use command "./suricata -c /etc/suricata/suricata.yaml -i eth0 " to
start suricata
Test suricata with "ab -c 10 -n 600000 http://192.168.1.123/", it
consume less memory than before. But after test finished, the memory
won't decrease(I wait 10 minutes).
When 2 rounds test finished , the memory is:
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
28864 4335 root S 893m 44% 1 4% ./suricata -c
/etc/suricata/suricata.yaml -i eth0
10 minutes later, the momory does NOT decrease.
During the test, I see some:
[28867] 14/9/2011 -- 16:19:47 - (app-layer-parser.c:955) <Error>
(AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
parsing "http" app layer protocol, using network protocol 6, source IP
address 192.168.1.2, destination IP address 192.168.1.123, src port
57806 and dst port 80
I then use " ab -c 20 -n 600000 http://192.168.1.123/".
After the test finished, the memory is :
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
28864 4335 root S 1187m 59% 1 4% ./suricata -c
/etc/suricata/suricata.yaml -i eth0
I wait 10 minutes again, the momory does NOT decrease.
This can be reproduced in my box.
2011/9/14 Victor Julien <victor at inliniac.net>:
> Could you try lowering the flow timeout settings?
>
> flow-timeouts:
>
> tcp:
> new: 60
> established: 3600
> closed: 120
> emergency_new: 10
> emergency_established: 300
> emergency_closed: 20
>
> @Peter, can you try to reproduce this?
>
> Cheers,
> Victor
>
>
More information about the Oisf-devel
mailing list