From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GiezF-0004VD-KZ for garchives@archives.gentoo.org; Fri, 10 Nov 2006 22:36:38 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kAAMYQbh006665; Fri, 10 Nov 2006 22:34:26 GMT Received: from srvexch-01.mcaschool.local (mail.mcaschool.net [24.239.210.32]) by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kAAMWDuP002249 for ; Fri, 10 Nov 2006 22:32:14 GMT X-Ninja-PIM: Scanned by Ninja X-Ninja-AttachmentFiltering: (no action) Content-class: urn:content-classes:message Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: [gentoo-user] My Snort server -- I Don't know whats wrong -- It seems to go to sleep X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Fri, 10 Nov 2006 17:32:10 -0500 Message-ID: <17CD9CE4C0FA574A8B29EF02D49B385D2A95AB@srvexch-01.mcaschool.local> Thread-Topic: My Snort server -- I Don't know whats wrong -- It seems to go to sleep Thread-Index: AccFGA9EjAx7Aq84QsWA3mkMXY5LBQ== From: "Timothy A. Holmes" To: gentoo-user@lists.gentoo.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by robin.gentoo.org id kAAMWDuP002249 X-Archives-Salt: 8e126dee-59c2-47a9-ab74-1c6fb551a44f X-Archives-Hash: 453936794899e39f9823a8259fb1ea33 Hi folks: Ive been fighting with this problem intermittantly for some time now and its starting to get the better of me. The short summary is the box keeps "going to sleep" on me. It wont respond to ssh or webpage requests till I ping it about 10 times after that it works normally. It's a brand new install, specifically built for snort. I have looked at powersaving in the bios (its all off) there are no options in the bios for making nics sleep (that I can find) It does NOT appear that when it sleeps, I am dropping packets, the packet stream in snort is apparently complete, its just like it gets concentrating on snort so hard it forgets to respond till I poke it a few times, BUT, as demonstrated below, the machine is basically just loafing along. This is getting REALLY annoying and I REALLY needs some help to track it down SYSTEM INFORMATION BELOW I have a pentium 4 workstation that I am using as a snort sniffer / logger. Here is the output of lspci run on the box 00:00.0 Host bridge: Intel Corporation 82865G/PE/P DRAM Controller/Host-Hub Interface (rev 02) 00:02.0 VGA compatible controller: Intel Corporation 82865G Integrated Graphics Controller (rev 02) 00:03.0 PCI bridge: Intel Corporation 82865G/PE/P PCI to CSA Bridge (rev 02) 00:1d.0 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB UHCI Controller #1 (rev 02) 00:1d.1 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB UHCI Controller #2 (rev 02) 00:1d.2 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB UHCI Controller #3 (rev 02) 00:1d.3 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB UHCI Controller #4 (rev 02) 00:1d.7 USB Controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) USB2 EHCI Controller (rev 02) 00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev c2) 00:1f.0 ISA bridge: Intel Corporation 82801EB/ER (ICH5/ICH5R) LPC Interface Bridge (rev 02) 00:1f.1 IDE interface: Intel Corporation 82801EB/ER (ICH5/ICH5R) IDE Controller (rev 02) 00:1f.2 IDE interface: Intel Corporation 82801EB (ICH5) SATA Controller (rev 02) 00:1f.3 SMBus: Intel Corporation 82801EB/ER (ICH5/ICH5R) SMBus Controller (rev 02) 00:1f.5 Multimedia audio controller: Intel Corporation 82801EB/ER (ICH5/ICH5R) AC'97 Audio Controller (rev 02) 01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10) 02:01.0 Ethernet controller: Intel Corporation 82547EI Gigabit Ethernet Controller Its got a custom built kernel (not a genkernel) has a 40 gig hard drive and 1 gb memory total used free shared buffers cached Mem: 884 417 466 0 63 180 -/+ buffers/cache: 174 710 Swap: 964 0 964 moatmonster ~ # Its running snort, mysql, apache, oinkmaster, barnyard etc (it's a unitasker -- no other jobs other than be the snort server) Here is the out put of top top - 17:20:03 up 3 days, 8:40, 2 users, load average: 0.00, 0.00, 0.00 Tasks: 50 total, 1 running, 49 sleeping, 0 stopped, 0 zombie Cpu(s): 0.2% us, 0.0% sy, 0.0% ni, 99.8% id, 0.0% wa, 0.0% hi, 0.0% si Mem: 905732k total, 428208k used, 477524k free, 64688k buffers Swap: 987988k total, 0k used, 987988k free, 184940k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1 root 16 0 1516 540 472 S 0 0.1 0:00.63 init 2 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0 3 root 34 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/0 4 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1 5 root 34 19 0 0 0 S 0 0.0 0:00.00 ksoftirqd/1 6 root 10 -5 0 0 0 S 0 0.0 0:00.00 events/0 7 root 10 -5 0 0 0 S 0 0.0 0:00.00 events/1 8 root 10 -5 0 0 0 S 0 0.0 0:00.01 khelper 9 root 10 -5 0 0 0 S 0 0.0 0:00.00 kthread 12 root 10 -5 0 0 0 S 0 0.0 0:00.01 kblockd/0 13 root 10 -5 0 0 0 S 0 0.0 0:00.00 kblockd/1 14 root 14 -5 0 0 0 S 0 0.0 0:00.00 kacpid 107 root 10 -5 0 0 0 S 0 0.0 0:00.02 kseriod 110 root 10 -5 0 0 0 S 0 0.0 0:00.00 khubd 162 root 20 0 0 0 0 S 0 0.0 0:00.00 pdflush 163 root 15 0 0 0 0 S 0 0.0 0:00.20 pdflush 164 root 18 0 0 0 0 S 0 0.0 0:00.00 kswapd0 165 root 14 -5 0 0 0 S 0 0.0 0:00.00 aio/0 166 root 14 -5 0 0 0 S 0 0.0 0:00.00 aio/1 750 root 6 -10 0 0 0 S 0 0.0 0:00.08 vesafb 776 root 13 -5 0 0 0 S 0 0.0 0:00.00 kpsmoused 847 root 15 0 0 0 0 S 0 0.0 0:00.00 kirqd 849 root 10 -5 0 0 0 S 0 0.0 0:00.57 kjournald 960 root 17 -4 1740 532 352 S 0 0.1 0:00.16 udevd 3645 root 15 0 1756 556 392 S 0 0.1 0:00.05 syslog-ng 4674 root 16 0 3928 988 684 S 0 0.1 0:00.00 sshd 4875 root 16 0 1764 672 548 S 0 0.1 0:00.01 cron 4955 root 16 0 2328 1132 880 S 0 0.1 0:00.02 login 4956 root 16 0 1552 628 544 S 0 0.1 0:00.00 agetty 4957 root 16 0 1556 636 544 S 0 0.1 0:00.00 agetty 4958 root 16 0 1552 628 544 S 0 0.1 0:00.00 agetty 4959 root 16 0 1556 632 544 S 0 0.1 0:00.00 agetty 4968 root 16 0 1552 628 544 S 0 0.1 0:00.00 agetty 4984 root 18 0 2608 1508 1216 S 0 0.2 0:00.00 bash 27368 root 15 0 5632 3096 1696 S 0 0.3 0:03.60 snmpd 27528 mysql 16 0 125m 26m 4324 S 0 3.0 0:29.14 mysqld 27556 root 16 0 11996 6236 2688 S 0 0.7 0:00.07 apache2 27654 apache 16 0 11996 4884 1360 S 0 0.5 0:00.00 apache2 27655 apache 15 0 16976 10m 2468 S 0 1.2 0:02.22 apache2 27656 apache 15 0 17064 10m 2484 S 0 1.2 0:02.40 apache2 27657 apache 16 0 16968 10m 2464 S 0 1.2 0:02.11 apache2 27658 apache 16 0 16996 10m 2492 S 0 1.2 0:14.51 apache2 27659 apache 16 0 17016 10m 2472 S 0 1.2 0:04.35 apache2 31337 apache 16 0 17060 10m 2460 S 0 1.2 0:02.28 apache2 31387 apache 16 0 16956 10m 2464 S 0 1.2 0:02.21 apache2 5503 snort 15 0 71336 66m 3224 S 0 7.5 0:12.69 snort 5568 root 16 0 14196 10m 1192 S 0 1.2 0:07.71 barnyard 5787 root 15 0 6752 2136 1716 S 0 0.2 0:00.04 sshd 5792 root 15 0 2608 1516 1224 S 0 0.2 0:00.01 bash 5801 root 16 0 2132 1080 836 R 0 0.1 0:00.00 top The output from cacti (snmp monitoring suite) tells me that the maximum inbout flow on the sniffing nick (eth0) over the last day has been 118.28K On the administrative nic, the maximum flows in the same time period have been: Inbound: 5.9Kb/s Outbound: 117.kb/s The sniffer nick is a the realtech nick The admin nick is the intel one The sniffer is on a mirrored port that copies all the traffic from our internet port directly behind the firewall, the admin interface is on a normal switch port in the core switch. Flows on those ports are well under 1 mb/s at all times. Processor numbers from cacti are averageng 0.00 in the 1, 5 and 15 minute categories The memory use has not invaded swap at all And processes running are under 80 at all times Timothy A. Holmes IT Manager / Network Admin / Web Master / Computer Teacher Medina Christian Academy A Higher Standard... -- gentoo-user@gentoo.org mailing list