Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: "Timothy A. Holmes" <tholmes@×××××××××.net>
To: gentoo-user@l.g.o
Subject: [gentoo-user] My Snort server -- I Don't know whats wrong -- It seems to go to sleep
Date: Fri, 10 Nov 2006 22:36:38
Message-Id: 17CD9CE4C0FA574A8B29EF02D49B385D2A95AB@srvexch-01.mcaschool.local
1 Hi folks:
2
3 Ive been fighting with this problem intermittantly for some time now and
4 its starting to get the better of me. The short summary is the box
5 keeps "going to sleep" on me. It wont respond to ssh or webpage
6 requests till I ping it about 10 times after that it works normally.
7 It's a brand new install, specifically built for snort. I have looked
8 at powersaving in the bios (its all off) there are no options in the
9 bios for making nics sleep (that I can find)
10
11 It does NOT appear that when it sleeps, I am dropping packets, the
12 packet stream in snort is apparently complete, its just like it gets
13 concentrating on snort so hard it forgets to respond till I poke it a
14 few times, BUT, as demonstrated below, the machine is basically just
15 loafing along.
16
17 This is getting REALLY annoying and I REALLY needs some help to track it
18 down
19
20
21
22 SYSTEM INFORMATION BELOW
23
24
25 I have a pentium 4 workstation that I am using as a snort sniffer /
26 logger. Here is the output of lspci run on the box
27
28 00:00.0 Host bridge: Intel Corporation 82865G/PE/P DRAM
29 Controller/Host-Hub Interface (rev 02)
30 00:02.0 VGA compatible controller: Intel Corporation 82865G Integrated
31 Graphics Controller (rev 02)
32 00:03.0 PCI bridge: Intel Corporation 82865G/PE/P PCI to CSA Bridge (rev
33 02)
34 00:1d.0 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB
35 UHCI Controller #1 (rev 02)
36 00:1d.1 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB
37 UHCI Controller #2 (rev 02)
38 00:1d.2 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB
39 UHCI Controller #3 (rev 02)
40 00:1d.3 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB
41 UHCI Controller #4 (rev 02)
42 00:1d.7 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB2
43 EHCI Controller (rev 02)
44 00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev c2)
45 00:1f.0 ISA bridge: Intel Corporation 82801EB/ER (ICH5/ICH5R) LPC
46 Interface Bridge (rev 02)
47 00:1f.1 IDE interface: Intel Corporation 82801EB/ER (ICH5/ICH5R) IDE
48 Controller (rev 02)
49 00:1f.2 IDE interface: Intel Corporation 82801EB (ICH5) SATA Controller
50 (rev 02)
51 00:1f.3 SMBus: Intel Corporation 82801EB/ER (ICH5/ICH5R) SMBus
52 Controller (rev 02)
53 00:1f.5 Multimedia audio controller: Intel Corporation 82801EB/ER
54 (ICH5/ICH5R) AC'97 Audio Controller (rev 02)
55 01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
56 RTL-8139/8139C/8139C+ (rev 10)
57 02:01.0 Ethernet controller: Intel Corporation 82547EI Gigabit Ethernet
58 Controller
59
60 Its got a custom built kernel (not a genkernel) has a 40 gig hard drive
61 and 1 gb memory
62
63 total used free shared buffers
64 cached
65 Mem: 884 417 466 0 63
66 180
67 -/+ buffers/cache: 174 710
68 Swap: 964 0 964
69 moatmonster ~ #
70
71 Its running snort, mysql, apache, oinkmaster, barnyard etc (it's a
72 unitasker -- no other jobs other than be the snort server)
73
74 Here is the out put of top
75
76
77 top - 17:20:03 up 3 days, 8:40, 2 users, load average: 0.00, 0.00,
78 0.00
79 Tasks: 50 total, 1 running, 49 sleeping, 0 stopped, 0 zombie
80 Cpu(s): 0.2% us, 0.0% sy, 0.0% ni, 99.8% id, 0.0% wa, 0.0% hi,
81 0.0% si
82 Mem: 905732k total, 428208k used, 477524k free, 64688k buffers
83 Swap: 987988k total, 0k used, 987988k free, 184940k cached
84
85 PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
86 1 root 16 0 1516 540 472 S 0 0.1 0:00.63 init
87 2 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0
88 3 root 34 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0
89 4 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1
90 5 root 34 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1
91 6 root 10 -5 0 0 0 S 0 0.0 0:00.00 events/0
92 7 root 10 -5 0 0 0 S 0 0.0 0:00.00 events/1
93 8 root 10 -5 0 0 0 S 0 0.0 0:00.01 khelper
94 9 root 10 -5 0 0 0 S 0 0.0 0:00.00 kthread
95 12 root 10 -5 0 0 0 S 0 0.0 0:00.01 kblockd/0
96 13 root 10 -5 0 0 0 S 0 0.0 0:00.00 kblockd/1
97 14 root 14 -5 0 0 0 S 0 0.0 0:00.00 kacpid
98 107 root 10 -5 0 0 0 S 0 0.0 0:00.02 kseriod
99 110 root 10 -5 0 0 0 S 0 0.0 0:00.00 khubd
100 162 root 20 0 0 0 0 S 0 0.0 0:00.00 pdflush
101 163 root 15 0 0 0 0 S 0 0.0 0:00.20 pdflush
102 164 root 18 0 0 0 0 S 0 0.0 0:00.00 kswapd0
103 165 root 14 -5 0 0 0 S 0 0.0 0:00.00 aio/0
104 166 root 14 -5 0 0 0 S 0 0.0 0:00.00 aio/1
105 750 root 6 -10 0 0 0 S 0 0.0 0:00.08 vesafb
106 776 root 13 -5 0 0 0 S 0 0.0 0:00.00 kpsmoused
107 847 root 15 0 0 0 0 S 0 0.0 0:00.00 kirqd
108 849 root 10 -5 0 0 0 S 0 0.0 0:00.57 kjournald
109 960 root 17 -4 1740 532 352 S 0 0.1 0:00.16 udevd
110 3645 root 15 0 1756 556 392 S 0 0.1 0:00.05 syslog-ng
111 4674 root 16 0 3928 988 684 S 0 0.1 0:00.00 sshd
112 4875 root 16 0 1764 672 548 S 0 0.1 0:00.01 cron
113 4955 root 16 0 2328 1132 880 S 0 0.1 0:00.02 login
114 4956 root 16 0 1552 628 544 S 0 0.1 0:00.00 agetty
115 4957 root 16 0 1556 636 544 S 0 0.1 0:00.00 agetty
116 4958 root 16 0 1552 628 544 S 0 0.1 0:00.00 agetty
117 4959 root 16 0 1556 632 544 S 0 0.1 0:00.00 agetty
118 4968 root 16 0 1552 628 544 S 0 0.1 0:00.00 agetty
119 4984 root 18 0 2608 1508 1216 S 0 0.2 0:00.00 bash
120 27368 root 15 0 5632 3096 1696 S 0 0.3 0:03.60 snmpd
121 27528 mysql 16 0 125m 26m 4324 S 0 3.0 0:29.14 mysqld
122 27556 root 16 0 11996 6236 2688 S 0 0.7 0:00.07 apache2
123 27654 apache 16 0 11996 4884 1360 S 0 0.5 0:00.00 apache2
124 27655 apache 15 0 16976 10m 2468 S 0 1.2 0:02.22 apache2
125 27656 apache 15 0 17064 10m 2484 S 0 1.2 0:02.40 apache2
126 27657 apache 16 0 16968 10m 2464 S 0 1.2 0:02.11 apache2
127 27658 apache 16 0 16996 10m 2492 S 0 1.2 0:14.51 apache2
128 27659 apache 16 0 17016 10m 2472 S 0 1.2 0:04.35 apache2
129 31337 apache 16 0 17060 10m 2460 S 0 1.2 0:02.28 apache2
130 31387 apache 16 0 16956 10m 2464 S 0 1.2 0:02.21 apache2
131 5503 snort 15 0 71336 66m 3224 S 0 7.5 0:12.69 snort
132 5568 root 16 0 14196 10m 1192 S 0 1.2 0:07.71 barnyard
133 5787 root 15 0 6752 2136 1716 S 0 0.2 0:00.04 sshd
134 5792 root 15 0 2608 1516 1224 S 0 0.2 0:00.01 bash
135 5801 root 16 0 2132 1080 836 R 0 0.1 0:00.00 top
136
137 The output from cacti (snmp monitoring suite) tells me that the maximum
138 inbout flow on the sniffing nick (eth0) over the last day has been
139 118.28K
140
141 On the administrative nic, the maximum flows in the same time period
142 have been:
143
144 Inbound: 5.9Kb/s
145 Outbound: 117.kb/s
146
147 The sniffer nick is a the realtech nick
148 The admin nick is the intel one
149
150 The sniffer is on a mirrored port that copies all the traffic from our
151 internet port directly behind the firewall, the admin interface is on a
152 normal switch port in the core switch.
153
154 Flows on those ports are well under 1 mb/s at all times.
155
156 Processor numbers from cacti are averageng 0.00 in the 1, 5 and 15
157 minute categories
158
159 The memory use has not invaded swap at all
160
161 And processes running are under 80 at all times
162
163
164
165
166
167
168 Timothy A. Holmes
169 IT Manager / Network Admin / Web Master / Computer Teacher
170 Medina Christian Academy
171 A Higher Standard...
172
173
174 --
175 gentoo-user@g.o mailing list

Replies

Subject Author
Re: [gentoo-user] My Snort server -- I Don't know whats wrong -- It seems to go to sleep Hans-Werner Hilse <hilse@×××.de>
Report Message
Find on MARC Find on Google Groups