Pete,
Just after the restart of the Sniffer service, times dropped back down
into the ms from 30+ seconds before, so what I am saying is that if I/O
was the issue, it was merely the trigger for something that put the
service in a bad state when it started. I/O issues are not persistent,
but could happen from time to time I'm sure. Restarting Sniffer with a
backlog of 2,500 messages and normal peak traffic will not re-trigger
the condition, and I press Declude to run up to 300 messages at a time
in situations like that, and the CPU's are pegged until the backlog
clears. In the past, I restarted the whole system, not knowing why it
worked. During normal peak times (without bursts), the Declude is
processing about 125 messages at a time which take an average of 6
seconds to fully process, and therefore Sniffer is probably handling
only about 10 messages at a time (at peak).
Since 5/22 I have seen 4 or 5 different events like this, and I
confirmed that they are all present in the SNFclient.exe.err log.
Matt
On 6/28/2013 12:41 PM, Pete McNeil wrote:
On 2013-06-28 12:10, Matt wrote:
I am looking to retool presently just because it's time. So if you
are convinced that this is due to low resources, don't concern
yourself with it.
Ok. It makes sense that the ~200 messages all at once could have
happend at the restart. SNFClient will keep trying for 30-90 seconds
before it gives up and spits out it's error file. That's where your
delays are coming from. SNF itself was clocking only about 100-800ms
for all of the scans.
The error result you report is exactly the one sent by SNF -- that it
was unable to open the file.
I am very sure this is resource related -- your scans should not be
taking the amount of time they are and I suspect most of that time is
eaten up trying to get to the files. The occasional errors of the same
time are a good hint that IO is to blame.
The new spam that we've seen often includes large messages -- so
that's going to put a higher load on IO resources -- I'll bet that the
increased volume and large message sizes are pushing IO over the edge
or at least very close to it.
Best,
_M
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>