Ok looking at the log I see quite a few messages taking over a second to
process (samples below):
<s u='20130328155503' m=\temp\1332407477322.msg' s='0' r='0'>
<p s='1172' t='1109' l='72697' d='127'/>
<g o='0' i='12.130.136.172' t='u' c='0.486243' p='-0.625' r='Normal'/>
</s>
<s u='20130328155506' m='\temp\1332407477336.msg' s='60' r='5113015'>
<m s='60' r='5113015' i='235' e='280' f='m'/>
<m s='60' r='4346940' i='16722' e='16812' f='m'/>
<p s='1141' t='937' l='16658' d='129'/>
<g o='0' i='192.210.233.215' t='u' c='0.360316' p='0.575758'
r='Normal'/>
</s>
<s u='20130328155513' m='\temp\1332407477360.msg' s='52' r='5470216'>
<m s='52' r='5470216' i='235' e='295' f='m'/>
<m s='52' r='5471910' i='949' e='1009' f='m'/>
<m s='52' r='5431546' i='1074' e='1200' f='m'/>
<m s='52' r='5479780' i='1857' e='1933' f='m'/>
<m s='62' r='5303955' i='82' e='2688' f='m'/>
<m s='52' r='5400681' i='1818' e='9143' f='m'/>
<p s='1031' t='750' l='8538' d='130'/>
<g o='0' i='192.210.134.21' t='u' c='0.545993' p='0.82' r='Black'/>
</s>
<s u='20130328155622' m=\temp\1332407477655.msg' s='60' r='5538969'>
<m s='60' r='5538969' i='221' e='236' f='m'/>
<m s='61' r='5448415' i='2283' e='2297' f='m'/>
<m s='61' r='5438936' i='2247' e='2337' f='m'/>
<m s='60' r='5404555' i='15832' e='15850' f='m'/>
<m s='60' r='5539002' i='16033' e='16074' f='m'/>
<m s='62' r='5437246' i='30967' e='30985' f='m'/>
<p s='1219' t='1312' l='17171' d='135'/>
<g o='0' i='205.234.138.240' t='u' c='0.634697' p='0.763214'
r='Normal'/>
</s>
On Wed, Mar 27, 2013 at 4:42 PM, Pete McNeil
<madscient...@armresearch.com>wrote:
> On 2013-03-27 17:16, Richard Stupek wrote:
>
>> The spikes aren't as prolonged at the present.
>>
>
> Interesting. A short spike like that might be expected if the message was
> longer than usual, but on average SNF should be very light-weight.
>
> One thing you can check is the performance data in your logs. That will
> show how much time in cpu milleseconds it is taking for each scan and how
> long the scans are in bytes. This might shed some light.
>
> http://www.armresearch.com/**support/articles/software/**
> snfServer/logFiles/**activityLogs.jsp<http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp>
>
> Look for something like <p s='10' t='8' l='3294' d='84'/> in each scan.
>
> From the documentation:
>
> <s><p/></s> - Scan Performance Monitoring (performance='yes')
>> p:s = Setup time in milliseconds
>> p:t = Scan time in milliseconds
>> p:l = Scan length in bytes
>> p:d = Scan depth (peak evaluator count)
>>
>>
> Best,
>
>
> _M
>
>
> --
> Pete McNeil
> Chief Scientist
> ARM Research Labs, LLC
> www.armresearch.com
> 866-770-1044 x7010
> twitter/codedweller
>
>
> ##############################**##############################**#
> This message is sent to you because you are subscribed to
> the mailing list <sniffer@sortmonster.com>.
> This list is for discussing Message Sniffer,
> Anti-spam, Anti-Malware, and related email topics.
> For More information see http://www.armresearch.com
> To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
> To switch to the DIGEST mode, E-mail to
> <sniffer-digest@sortmonster.**com<sniffer-dig...@sortmonster.com>
> >
> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com**>
> Send administrative queries to
> <sniffer-request@sortmonster.**com<sniffer-requ...@sortmonster.com>
> >
>
>
