Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 6014 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange increase in memory usage.

rfcat_vk

Hi folks,

my my XG's memory usage suddenly went from 44% to 70% and has now settled at 60%.

This has only happened since I started adjusting maxpkts as part of the TOR/Psiphon blocking setup.

In the graph below the grey section is immediately after a resart.

Thoughts please?

Ian



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    Thanks.  I set the snort/cpu affinity with the command set ips ips-instance add IPS cpu for each of the four threads.  Now the show ips-settings shows four IPS instances and the performance and CPU usage with high bandwidth traffic is the same.  Top still shows five snort processes.  I remember reading somewhere that XG uses snort for IPS and another function, but I can't remember what this is.  Do you recall?  (Notice how the 5th snort has a different virtual size and a non-sequential PID, while the first four seem to fit together).

    console> show ips-settings                                                      
    -------------IPS Settings-------------                                          
            stream on                                                               
            lowmem off                                                              
            maxsesbytes 0                                                           
            maxpkts 8                                                               
            enable_appsignatures on                                                 
            http_response_scan_limit  65535                                         
            search_method ac-q                                                      
            sip_preproc enabled                                                     
            sip_ignore_call_channel enabled                                         
            inspect untrusted-content                                               
                                                                                    
    -------------IPS Instances------------                                          
    IPS CPU                                                                         
     1  0                                                                           
     2  1                                                                           
     3  2                                                                           
     4  3                   

     
    top - 19:04:36 up 19:50,  1 user,  load average: 0.19, 0.15, 0.10K              
    Tasks: 452 total,   1 running, 370 sleeping,   0 stopped,   0 zombie            
    Cpu0  :  4.3%us,  1.3%sy,  0.0%ni, 94.4%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st  
    Cpu1  :  6.7%us,  2.3%sy,  0.0%ni, 90.9%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st  
    Cpu2  :  1.7%us,  0.7%sy,  0.0%ni, 97.7%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st  
    Cpu3  :  3.3%us,  0.3%sy,  0.0%ni, 96.0%id,  0.3%wa,  0.0%hi,  0.0%si,  0.0%st  
    Mem:   6094116k total,  5625472k used,   468644k free,   378492k buffers        
    Swap:  8050804k total,        0k used,  8050804k free,  1586988k cached         
                                                                                    
      PID  PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                     
    21818  20   0 2218m 1.1g  48m S  0.0 18.4   4:11.32 snort                       
    21819  20   0 2218m 1.1g  48m S  0.3 18.4   4:44.75 snort                       
    21820  20   0 2218m 1.1g  48m S  0.0 18.4   3:50.08 snort                       
    21817  20   0 2218m 1.1g  48m S  0.3 18.4   4:13.62 snort                       
    21667  20   0 1286m 1.0g  17m S  0.0 17.6   0:30.06 snort                       
     8452  20   0  612m 406m  14m S  0.0  6.8   1:17.04 avd                         
     7576  20   0 3776m 285m  17m S  0.3  4.8   1:14.15 java                        
     8409  20   0  314m 129m 8716 S  0.0  2.2   3:03.61 awarrenhttp                 
     7317  20   0  129m 117m 3316 S  0.0  2.0   0:57.17 dnscache                    
     6831  20   0 78476  55m  13m S  0.0  0.9   1:51.30 garner                      
     5861  20   0 46660  32m  32m S  0.0  0.5   0:00.25 postgres                    
     5893  20   0 46888  32m  31m S  0.0  0.5   0:05.47 postgres                    
     5862  20   0 46660  31m  30m S  0.0  0.5   0:00.19 postgres                    
     8297  20   0 34244  30m 5784 S  0.0  0.5   0:06.25 awed [master]               
                                                                  
     
  • 0 in reply to dakster

    Hi,

    5 snort instances seems odd to me going on discussions from people with knowledge about snort. At this stage the snort in XG is only single threaded, so having a 5th one is vey add. A newer version of snort is multi-threading, but I am not sure about it production status and when it will be added to XG.

    In XG snort is used for classification and as well intrusion reporting/blocking.

    Ian