[Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
Peter Manev
petermanev at gmail.com
Mon Feb 25 22:25:26 UTC 2019
On Fri, Feb 22, 2019 at 8:01 PM Nelson, Cooper <cnelson at ucsd.edu> wrote:
>
> What I ended up doing was just putting some windows on my desktop showing htop (all the threads would get pegged) and the packet drops from stats.log , since this was happening several times a day for extended periods.
>
> I then wrote a script to just grab a million packets off the wire and show the top talkers. Found it pretty easily.
>
> $ cat bin/top_flows.sh
> #!/bin/bash
>
> sudo tcpdump -tnn -c 100000 -i any 2>/dev/null | awk '{print $2,$3,$4,$5}' | sort | uniq -c | sort -nr | head
>
> You could automate something like to watch for packet drops in stats.log and then run the above script (I would recommend several times).
>
> I think I've suggested in the past if suri could dump the ring buffer to a file when the 'emergency flush' condition is triggered you could just run the above script on the resulting pcap to find what caused it.
>
@Sean - you might want to take Coopers suggestion and dig into this to be sure.
Looking at your previous stats share your packet loss amounts to about
0.43% if not mistaken - for which those bursts that you have noticed
might indeed be contributing.
> -Coop
>
> -----Original Message-----
> From: Peter Manev <petermanev at gmail.com>
> Sent: Friday, February 22, 2019 9:43 AM
> To: Nelson, Cooper <cnelson at ucsd.edu>
> Cc: Cloherty, Sean E <scloherty at mitre.org>; Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
> Subject: Re: [Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
>
> Could be related indeed.
>
> @Sean Could you try the following and give me some feedback please.
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list