User Tools

Site Tools


pom:tips_and_tricks

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Last revisionBoth sides next revision
pom:tips_and_tricks [2012/10/12 08:57] – external edit 127.0.0.1pom:tips_and_tricks [2012/10/24 12:44] – old revision restored gmsoft
Line 1: Line 1:
-===== Tips and tricks ===== +They say cold for marketing pupsores when the Starbucks Frapps came out as these are new products.  use them also for hot drinksthey taste just fine.
- +
-==== File path expansion ==== +
-Some target support file path expansion. For example target_http can have the following prefix configured : +
-  prefix = /mnt/data/${ipv4.src}/${tcp.sport}/http/dump- +
- +
-If the connection is established from 10.0.0.1 and the source port is 3000, the new directory /mnt/data/10.0.0.1/3000/http/ will be created and files will be put there. +
- +
- +
-==== Disabling rules vs stopping target ==== +
-When you disable a rule, the connections that were being processed by the targets of this rule will still be processed until they are closed. This is not the case if you stop a target. If you stop a target, all the processing is stopped immediately. +
- +
-==== About debug ==== +
-In a telnet session, you can enable debugging with the following command : +
-  debug cli set <0-5> +
-You can also change the console (program output) debug level using this command : +
-  debug console set <0-5> +
-You can set the debug level from 0 (no output) to 5 (troubleshoot output). The default debug level in the program console is 3 (Error, warnings and informational messages). Increasing the debug level to 5 may not be a good idea as it can produce a lot of output. The debug levels are the following : +
-  * 0 : No output +
-  * 1 : Errors only +
-  * 2 : Errors and warnings +
-  * 3 : Errors, warnings and informational messages +
-  * 4 : Errors, warnings, informational and debug messages +
-  * 5 : All of the above + troubleshooting messagesYou should not be using this debug level as it may output a lot of things. +
- +
- +
-==== Reduce memory usage ==== +
-  * Using a shorter ringbuffer +
-By default, a ring buffer of 10000 packets will be used. This can be quite a lot of memory if each packet is ~1600bytes of data. +
-You can reduce this by using the following command when the input is stopped : +
-  core parameter set ringbuffer_size 1000 +
-This will make the ringbuffer shorter thus using less memory but it will make it more likely that some packets will be dropped. +
-  * Avoiding useless memory usage +
-Most of the time, the helper_tcp will be loaded automatically. This helper will associate connection tracking information to each TCP connection that it sees. If you have a lot of connection, this can be a lot of memory. If you don't need helper_tcp, you can simply unload it with : +
-  helper unload tcp +
-Make sure you are not using any target that requires the packets to be in the right order. For example target_dump_payload and target_http will output unusable cruft without it. +
-You can disable automatic loading of the helpers by running the following command : +
-  core parameter set match_autoload_helper no +
- +
-==== Dumping a lot of things to files ==== +
-If you are dumping a lot of things to files, you can end up with a lot of files open. For example if you use target dump_payload to dump each connection in a fileyou may end up with more file open than allowed by the systemMost system by default allow a total of 1024 files opened at the same time. To change this limit, you can use ulimit in the shell you'll run the program. For example, to set a maximum of 65535 files you can run the following command : +
-  ulimit -n 65535 +
-Note that you must have root access in order to do so.   +
- +
-==== Avoid packet loss when using input_pcap ==== +
-Pcap has a small buffer when it comes to capture packets. The best way to avoid packets being dropped is to increase the nice level. You can do that when packet-o-matic is running using the command +
-  renice -5 `pidof packet-o-matic`+
pom/tips_and_tricks.txt · Last modified: 2020/05/26 21:59 by 127.0.0.1