On Sun, Jul 15, 2012 at 7:17 PM, C Anthony Risinger <[email protected]> wrote:
> hello,
>
> first off, SPA is pretty neat and it's great to see the 2.0 release in
> C -- i'm looking forward to getting all the GPG stuff working.
>
>
Great, let me know how it goes.
> however, it concerns me that all the machines running this report
> fwknopd as consuming a fair amount of resources, continuously. for
> example (top excerpt, 7 day uptime):
>
> %CPU %MEM TIME+ COMMAND
> 0.7 0.4 46:37.31 fwknopd
> 0.0 0.4 0:00.01 sshd
> 0.0 0.4 0:00.12 bash
> 0.0 0.3 0:02.77 systemd
> 0.0 0.3 0:00.00 sshd
> 0.0 0.2 0:53.38 ntpd
> 0.0 0.2 0:00.00 sshd
> 0.0 0.2 0:03.81 avahi-daemon
>
> ... this server is almost 100% idle right now (in fact, Linode panel
> shows less than 1MiB *total* traffic in 5 days ... couple ssh sessions
> only). fwknopd uses a consistent 0.3-0.9% CPU at all times,
> interrupting frequently. same results on ARMv7 pandaboard. strace
> shows rapid nanosleep() + poll() loop:
>
> [...]
> nanosleep({0, 10000000}, NULL) = 0
> poll([{fd=4, events=POLLIN}], 1, 0) = 0 (Timeout)
> nanosleep({0, 10000000}, NULL) = 0
> poll([{fd=4, events=POLLIN}], 1, 0) = 0 (Timeout)
> nanosleep({0, 10000000}, NULL) = 0
> poll([{fd=4, events=POLLIN}], 1, 0) = 0 (Timeout)
> [...]
>
> ... how can this be remedied? bleh, i also had a related questions
> but it's escaping me for now ...
>
>
In the fwknop-2.0 release there are two configuration variables in the
/etc/fwknop/fwknopd.conf file that control how long fwknopd sleeps in the
packet acquisition loop (PCAP_LOOP_SLEEP) and how many packets are
processed for each loop iteration (PCAP_DISPATCH_COUNT). By default,
PCAP_LOOP_SLEEP is set to 10,000 microseconds, or 1/10th of a second, and
the PCAP_DISPATCH_COUNT is set to zero meaning all packets seen in the
interval (some older versions of libpcap don't accept zero here and would
expect some other positive integer).
I'd say that the PCAP_LOOP_SLEEP variable should be increased on your
system. On my system, I can get fwknopd to consume a lot of CPU if I
reduce PCAP_LOOP_SLEEP. Perhaps the default should be, say, closer to
1/3rd of a second or something though.
Thanks,
--Mike
thanks,
>
> --
>
> C Anthony
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
