[Oisf-devel] suricata memory consumption not follow down after http test stoped.

Victor Julien victor at inliniac.net
Wed Sep 14 09:12:40 UTC 2011 

Can you run suricata in valgrind? It will slow it down a lot but it may
help determine memleaks.

valgrind -v --leak-check=full --show-reachable=yes <your suricata
commandline>

There are several minor leaks reported, but non of them should be large
and none of them should have it's origin in the "packet runtime".

You can also add --log-file=log to valgrind and attach the full log.

Cheers,
Victor

On 09/14/2011 11:04 AM, Delta Yeh wrote:
> The flow settings I use  is
> 
> max-pending-packets: 400
> flow-timeouts:
>   default:
>     new: 10
>     established:  20
>     closed: 10
>     emergency_new: 10
>     emergency_established: 10
>     emergency_closed: 0
>   tcp:
>     new: 10
>     established:  20
>     closed: 10
>     emergency_new: 10
>     emergency_established: 10
>     emergency_closed: 20
> 
> 
> I use command "./suricata -c /etc/suricata/suricata.yaml -i eth0 " to
> start suricata
> 
> Test suricata with "ab  -c 10 -n 600000 http://192.168.1.123/", it
> consume less memory than before. But  after test finished, the memory
> won't decrease(I wait 10 minutes).
> 
> When 2 rounds test finished , the memory is:
> 
>   PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
> 28864  4335 root     S     893m  44%   1   4% ./suricata -c
> /etc/suricata/suricata.yaml -i eth0
> 
> 10 minutes later, the momory does NOT decrease.
> 
> During the test, I see  some:
> 
> [28867] 14/9/2011 -- 16:19:47 - (app-layer-parser.c:955) <Error>
> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in
> parsing "http" app layer protocol, using network protocol 6, source IP
> address 192.168.1.2, destination IP address 192.168.1.123, src port
> 57806 and dst port 80
> 
> 
> 
> I then use "  ab  -c 20 -n 600000 http://192.168.1.123/".
> After the test finished, the memory is :
> 
>   PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
> 28864  4335 root     S    1187m  59%   1   4% ./suricata -c
> /etc/suricata/suricata.yaml -i eth0
> 
> I wait 10 minutes again, the momory does NOT decrease.
> 
> This  can be reproduced in my box.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 2011/9/14 Victor Julien <victor at inliniac.net>:
>> Could you try lowering the flow timeout settings?
>>
>> flow-timeouts:
>>
>>  tcp:
>>    new: 60
>>    established: 3600
>>    closed: 120
>>    emergency_new: 10
>>    emergency_established: 300
>>    emergency_closed: 20
>>
>> @Peter, can you try to reproduce this?
>>
>> Cheers,
>> Victor
>>
>>
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list