pom:tips_and_tricks
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionLast revisionBoth sides next revision | ||
pom:tips_and_tricks [2012/10/12 08:57] – external edit 127.0.0.1 | pom:tips_and_tricks [2012/10/24 12:44] – old revision restored gmsoft | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Tips and tricks ===== | + | They say cold for marketing pupsores when the Starbucks Frapps came out as these are new products. |
- | + | ||
- | ==== File path expansion ==== | + | |
- | Some target support file path expansion. For example target_http can have the following prefix configured : | + | |
- | prefix = / | + | |
- | + | ||
- | If the connection is established from 10.0.0.1 and the source port is 3000, the new directory / | + | |
- | + | ||
- | + | ||
- | ==== Disabling rules vs stopping target ==== | + | |
- | When you disable a rule, the connections that were being processed by the targets of this rule will still be processed until they are closed. This is not the case if you stop a target. If you stop a target, all the processing is stopped immediately. | + | |
- | + | ||
- | ==== About debug ==== | + | |
- | In a telnet session, you can enable debugging with the following command : | + | |
- | debug cli set < | + | |
- | You can also change the console (program output) debug level using this command : | + | |
- | debug console set < | + | |
- | You can set the debug level from 0 (no output) to 5 (troubleshoot output). The default debug level in the program console is 3 (Error, warnings and informational messages). Increasing the debug level to 5 may not be a good idea as it can produce a lot of output. The debug levels | + | |
- | * 0 : No output | + | |
- | * 1 : Errors only | + | |
- | * 2 : Errors and warnings | + | |
- | * 3 : Errors, warnings and informational messages | + | |
- | * 4 : Errors, warnings, informational and debug messages | + | |
- | * 5 : All of the above + troubleshooting messages. You should not be using this debug level as it may output a lot of things. | + | |
- | + | ||
- | + | ||
- | ==== Reduce memory usage ==== | + | |
- | * Using a shorter ringbuffer | + | |
- | By default, a ring buffer of 10000 packets will be used. This can be quite a lot of memory if each packet is ~1600bytes of data. | + | |
- | You can reduce this by using the following command when the input is stopped : | + | |
- | core parameter set ringbuffer_size 1000 | + | |
- | This will make the ringbuffer shorter thus using less memory but it will make it more likely that some packets will be dropped. | + | |
- | * Avoiding useless memory usage | + | |
- | Most of the time, the helper_tcp will be loaded automatically. This helper will associate connection tracking information to each TCP connection that it sees. If you have a lot of connection, this can be a lot of memory. If you don't need helper_tcp, you can simply unload it with : | + | |
- | helper unload tcp | + | |
- | Make sure you are not using any target that requires the packets to be in the right order. For example target_dump_payload and target_http will output unusable cruft without it. | + | |
- | You can disable automatic loading of the helpers by running the following command : | + | |
- | core parameter set match_autoload_helper no | + | |
- | + | ||
- | ==== Dumping a lot of things to files ==== | + | |
- | If you are dumping a lot of things to files, you can end up with a lot of files open. For example if you use target dump_payload to dump each connection in a file, you may end up with more file open than allowed by the system. Most system by default allow a total of 1024 files opened at the same time. To change this limit, you can use ulimit in the shell you'll run the program. For example, to set a maximum of 65535 files you can run the following command : | + | |
- | ulimit -n 65535 | + | |
- | Note that you must have root access in order to do so. | + | |
- | + | ||
- | ==== Avoid packet loss when using input_pcap ==== | + | |
- | Pcap has a small buffer when it comes to capture packets. The best way to avoid packets being dropped is to increase the nice level. You can do that when packet-o-matic is running using the command | + | |
- | renice -5 `pidof packet-o-matic` | + |
pom/tips_and_tricks.txt · Last modified: 2020/05/26 21:59 by 127.0.0.1