Richard,
Do you have any directories with a large number of files (>4k)? We had a
similar problem a few months back with sniffer scans taking much longer to
complete and sniffer temporary files being left over. We finally traced the
performance issues to a frequently accessed directory with thousands of
files. We’ve also seen issues in the past with directories with a large
number of files being very poor performing.
Darin.
From: Richard Stupek
Sent: Thursday, March 28, 2013 12:10 PM
To: Message Sniffer Community
Subject: [sniffer] Re: IP Change on rulebase delivery system
Ok looking at the log I see quite a few messages taking over a second to
process (samples below):
<s u='20130328155503' m=\temp\1332407477322.msg' s='0' r='0'>
<p s='1172' t='1109' l='72697' d='127'/>
<g o='0' i='12.130.136.172' t='u' c='0.486243' p='-0.625' r='Normal'/>
</s>
<s u='20130328155506' m='\temp\1332407477336.msg' s='60' r='5113015'>
<m s='60' r='5113015' i='235' e='280' f='m'/>
<m s='60' r='4346940' i='16722' e='16812' f='m'/>
<p s='1141' t='937' l='16658' d='129'/>
<g o='0' i='192.210.233.215' t='u' c='0.360316' p='0.575758'
r='Normal'/>
</s>
<s u='20130328155513' m='\temp\1332407477360.msg' s='52' r='5470216'>
<m s='52' r='5470216' i='235' e='295' f='m'/>
<m s='52' r='5471910' i='949' e='1009' f='m'/>
<m s='52' r='5431546' i='1074' e='1200' f='m'/>
<m s='52' r='5479780' i='1857' e='1933' f='m'/>
<m s='62' r='5303955' i='82' e='2688' f='m'/>
<m s='52' r='5400681' i='1818' e='9143' f='m'/>
<p s='1031' t='750' l='8538' d='130'/>
<g o='0' i='192.210.134.21' t='u' c='0.545993' p='0.82' r='Black'/>
</s>
<s u='20130328155622' m=\temp\1332407477655.msg' s='60' r='5538969'>
<m s='60' r='5538969' i='221' e='236' f='m'/>
<m s='61' r='5448415' i='2283' e='2297' f='m'/>
<m s='61' r='5438936' i='2247' e='2337' f='m'/>
<m s='60' r='5404555' i='15832' e='15850' f='m'/>
<m s='60' r='5539002' i='16033' e='16074' f='m'/>
<m s='62' r='5437246' i='30967' e='30985' f='m'/>
<p s='1219' t='1312' l='17171' d='135'/>
<g o='0' i='205.234.138.240' t='u' c='0.634697' p='0.763214'
r='Normal'/>
</s>
On Wed, Mar 27, 2013 at 4:42 PM, Pete McNeil <[email protected]>
wrote:
On 2013-03-27 17:16, Richard Stupek wrote:
The spikes aren't as prolonged at the present.
Interesting. A short spike like that might be expected if the message was
longer than usual, but on average SNF should be very light-weight.
One thing you can check is the performance data in your logs. That will
show how much time in cpu milleseconds it is taking for each scan and how
long the scans are in bytes. This might shed some light.
http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp
Look for something like <p s='10' t='8' l='3294' d='84'/> in each scan.
>From the documentation:
<s><p/></s> - Scan Performance Monitoring (performance='yes')
p:s = Setup time in milliseconds
p:t = Scan time in milliseconds
p:l = Scan length in bytes
p:d = Scan depth (peak evaluator count)
Best,
_M
--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <[email protected]>
To switch to the DIGEST mode, E-mail to <[email protected]>
To switch to the INDEX mode, E-mail to <[email protected]>
Send administrative queries to <[email protected]>
