[Oisf-users] Number of handles used by suricata

[Ruslan Usmanov]

Hello Victor,

I'm working on Windows 7 to 10.

Can  you  please show a test branch which uses pool of mutexes instead
mutex per object?

Also, what do you think of idea to change polling in timeout mechanism
in  flow-control?  Instead  of  running through array of handles every
second and acquiring-releasing lock, we can create additional array of
indexes  sorted in the order of timeout. I see for flows it is made so
we  reading  atomic variable of earliest timeout for every hash entry.
But  on  Windows this still adds to CPU cycles. We can create model of
array  of  indexes sorted in the order of timeout, then use that model
for flows, hosts, ippairs...



Thank you,
Ruslan



Tuesday, December 5, 2017, 1:19:03 PM, you wrote:

> On 05-12-17 19:07, Ruslan Usmanov wrote:
>> Is number of open handles by suricata is an area of concern?
>> 
>> I noticed when suricata is running with default configuration (max-frags
>> = 65535 with prealloc, flow hash_size = 65536), the process keeps open
>> 220,000 handles.
>> 
>> By bringing down number of these items, we can save up to 200k handles
>> on the system. I understand the reason is because each defrag and flow
>> requires its own mutex and handle.
>> 
>> What are you doing - just ignore the number of open handles, or using
>> lower values, and what are recommended number of defrags/flows, having
>> in mind we still want to keep system protected?

> I've really only seen this to be an issue on windows (cygwin). In linux
> a mutex isn't really a handle with the OS.

> For Windows I do have a test branch that uses a pools of mutexes instead
> of a mutex per object. Could revive that if there is interest.

> What OS are you on?




-- 
Best regards,
Ruslan Usmanov