GuTi.my Network Security

I mentioned I had Ourmon v2.7 installed previously but it generated a lot packets drop at peaks. I thought it was just my machine’s (Quad core Xeon) fault, which is running FreeBSD AMD64 (64 bit).
I have then installed the latest version of Ourmon (v2.8) which has the experimental threaded support and hoped it would run better in threaded but after the compilation and tested for some time, the problem did not seem to go away.

The CPU usage when I run it in T3 (4 threaded), notice the high CPU usage?

  PID USERNAME  THR PRI   NICE   SIZE    RES STATE  C   TIME   WCPU COMMAND
48707   root           1    121    0      193M   162M CPU5   5   1:41   93.49% ourmon
48706   root           1    121    0      193M   162M CPU2   2   1:35   91.82% ourmon
48705   root           1    120    0      193M   162M CPU7   7   1:37   90.31% ourmon
48708   root           1    121    0      193M   162M CPU3   3   1:31   90.31% ourmon

Ourmon seemed to generate incorrect packet per second graph for me too:

The bpfstat information:

  pid   	netif  flags       recv     drop      match      sblen 	   hblen   command
48705     em1  p--s-     240244 67980     240244 16777175 16777098 ourmon
48705     em1  p--s-     270156 86341     270156   248714        0          ourmon

There was same problem when I run Ourmon without threaded support:
i386 usage:

  PID USERNAME  THR PRI   NICE   SIZE    RES  STATE  C   TIME   WCPU COMMAND
 1100      root        1      -58    0   24932K 24416K bpf    0  37.2H    1.90% ourmon

AMD64 usage:

  PID USERNAME  THR PRI   NICE   SIZE    RES   STATE  C    TIME   WCPU COMMAND
38236     root        1      109    0     172M   168M  CPU2   2  355:15 70.46% ourmon

I have contacted Jim, the project admin of Ourmon on this issue.
After we have tested for 2 days, I noticed after I have disabled topn_icmperror, topn_scans, and topn_port_scans modules in ourmon.conf, Ourmon has not dropped any packets at peaks.

I reported my findings to Jim and he seemed to find out the problem which caused the Ourmon to drop packet in 64bit machine:

on x86, unsigned int is 4 bytes, unsigned long is 4 bytes
on amd64, unsigned int is 4 bytes, unsigned long is 8 bytes

He sent me a new fixed package and it has been running fine after compilation. Here is the resouce usage with default ourmon.conf on 64 bit:

  PID USERNAME  THR PRI   NICE   SIZE     RES    STATE  C    TIME   WCPU COMMAND
39548     root        1      -58    0   51164K 29752K    bpf    1  15:29    3.96%  ourmon

The pkts graph is displaying correct result now:

Jim said this fix will be included in Ourmon v2.9, and it will come with a couple of new features as well.
While we wait for the new package now, it is time to test the blacklist features in v2.8.
Thanks Jim!

Tags: ourmon

This entry was posted on Monday, March 10th, 2008 at 2:38 pm and is filed under LittleBug, Monitoring. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.