Pete,

Just after the restart of the Sniffer service, times dropped back down into the ms from 30+ seconds before, so what I am saying is that if I/O was the issue, it was merely the trigger for something that put the service in a bad state when it started. I/O issues are not persistent, but could happen from time to time I'm sure. Restarting Sniffer with a backlog of 2,500 messages and normal peak traffic will not re-trigger the condition, and I press Declude to run up to 300 messages at a time in situations like that, and the CPU's are pegged until the backlog clears. In the past, I restarted the whole system, not knowing why it worked. During normal peak times (without bursts), the Declude is processing about 125 messages at a time which take an average of 6 seconds to fully process, and therefore Sniffer is probably handling only about 10 messages at a time (at peak).


Since 5/22 I have seen 4 or 5 different events like this, and I confirmed that they are all present in the SNFclient.exe.err log.

Matt



On 6/28/2013 12:41 PM, Pete McNeil wrote:
On 2013-06-28 12:10, Matt wrote:
I am looking to retool presently just because it's time. So if you are convinced that this is due to low resources, don't concern yourself with it.

Ok. It makes sense that the ~200 messages all at once could have happend at the restart. SNFClient will keep trying for 30-90 seconds before it gives up and spits out it's error file. That's where your delays are coming from. SNF itself was clocking only about 100-800ms for all of the scans.

The error result you report is exactly the one sent by SNF -- that it was unable to open the file.

I am very sure this is resource related -- your scans should not be taking the amount of time they are and I suspect most of that time is eaten up trying to get to the files. The occasional errors of the same time are a good hint that IO is to blame.

The new spam that we've seen often includes large messages -- so that's going to put a higher load on IO resources -- I'll bet that the increased volume and large message sizes are pushing IO over the edge or at least very close to it.

Best,

_M




#############################################################
This message is sent to you because you are subscribed to
 the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>

Reply via email to