[Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
Nelson, Cooper
cnelson at ucsd.edu
Fri Feb 22 19:01:43 UTC 2019
What I ended up doing was just putting some windows on my desktop showing htop (all the threads would get pegged) and the packet drops from stats.log , since this was happening several times a day for extended periods.
I then wrote a script to just grab a million packets off the wire and show the top talkers. Found it pretty easily.
$ cat bin/top_flows.sh
#!/bin/bash
sudo tcpdump -tnn -c 100000 -i any 2>/dev/null | awk '{print $2,$3,$4,$5}' | sort | uniq -c | sort -nr | head
You could automate something like to watch for packet drops in stats.log and then run the above script (I would recommend several times).
I think I've suggested in the past if suri could dump the ring buffer to a file when the 'emergency flush' condition is triggered you could just run the above script on the resulting pcap to find what caused it.
-Coop
-----Original Message-----
From: Peter Manev <petermanev at gmail.com>
Sent: Friday, February 22, 2019 9:43 AM
To: Nelson, Cooper <cnelson at ucsd.edu>
Cc: Cloherty, Sean E <scloherty at mitre.org>; Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
Could be related indeed.
@Sean Could you try the following and give me some feedback please.
More information about the Oisf-users
mailing list