[[tips_and_tricks]]
 
Trace: » start » dvbcards » match_ppp » target_tftp » helper_pppoe » cable_isp_bpi » match_undefined » getting_started » datastore_mysql » tips_and_tricks
Table of Contents

Tips and tricks

File path expansion

Some target support file path expansion. For example target_http can have the following prefix configured : 

prefix = /mnt/data/${ipv4.src}/${tcp.sport}/http/dump-

If the connection is established from 10.0.0.1 and the source port is 3000, the new directory /mnt/data/10.0.0.1/3000/http/ will be created and files will be put there.

Disabling rules vs stopping target

When you disable a rule, the connections that were being processed by the targets of this rule will still be processed until they are closed. This is not the case if you stop a target. If you stop a target, all the processing is stopped immediately.

About debug

In a telnet session, you can enable debugging with the following command : 

debug cli set <0-5>

You can also change the console (program output) debug level using this command : 

debug console set <0-5>

You can set the debug level from 0 (no output) to 5 (troubleshoot output). The default debug level in the program console is 3 (Error, warnings and informational messages). Increasing the debug level to 5 may not be a good idea as it can produce a lot of output. The debug levels are the following :

  • 0 : No output
  • 1 : Errors only
  • 2 : Errors and warnings
  • 3 : Errors, warnings and informational messages
  • 4 : Errors, warnings, informational and debug messages
  • 5 : All of the above + troubleshooting messages. You should not be using this debug level as it may output a lot of things.

Reduce memory usage

  • Using a shorter ringbuffer

By default, a ring buffer of 10000 packets will be used. This can be quite a lot of memory if each packet is ~1600bytes of data. You can reduce this by using the following command when the input is stopped : 

core parameter set ringbuffer_size 1000

This will make the ringbuffer shorter thus using less memory but it will make it more likely that some packets will be dropped.

  • Avoiding useless memory usage

Most of the time, the helper_tcp will be loaded automatically. This helper will associate connection tracking information to each TCP connection that it sees. If you have a lot of connection, this can be a lot of memory. If you don't need helper_tcp, you can simply unload it with : 

helper unload tcp

Make sure you are not using any target that requires the packets to be in the right order. For example target_dump_payload and target_http will output unusable cruft without it. You can disable automatic loading of the helpers by running the following command : 

core parameter set match_autoload_helper no

Dumping a lot of things to files

If you are dumping a lot of things to files, you can end up with a lot of files open. For example if you use target dump_payload to dump each connection in a file, you may end up with more file open than allowed by the system. Most system by default allow a total of 1024 files opened at the same time. To change this limit, you can use ulimit in the shell you'll run the program. For example, to set a maximum of 65535 files you can run the following command : 

ulimit -n 65535

Note that you must have root access in order to do so.

Avoid packet loss when using input_pcap

Pcap has a small buffer when it comes to capture packets. The best way to avoid packets being dropped is to increase the nice level. You can do that when packet-o-matic is running using the command 

renice -5 `pidof packet-o-matic`
 
tips_and_tricks.txt · Last modified: 2009/04/29 16:05 by 2001:6f8:310:301::1
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki