lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 10 Dec 2009 14:13:09 -0800
From:	Rick Jones <rick.jones2@...com>
To:	Eric Paris <eparis@...hat.com>
CC:	netdev@...r.kernel.org
Subject: Re: [PATCH] net: export the number of times the recv queue was full

Eric Paris wrote:
> On Thu, 2009-12-10 at 13:38 -0800, Rick Jones wrote:
> 
>>Eric Paris wrote:
>>
>>>We got a request in which a customer was trying to determine how often their
>>>recieve queue was full and thus they were sending a zero window back to the
>>>other side.  By the time they would notice the slowdowns they would have all
>>>empty receive queues and wouldn't know which socket was a problem. 
>>
>>Wouldn't a tcpdump command with suitable filter expression on the window field 
>>of the TCP header do?
> 
> 
> It could as a post processing measure be used to find this situation.  I
> believe they want a more 'on the fly' method.

If tcpdump is runnable/running while all this is going-on, with the suitable 
filter expression they will be getting the four tuple of local/remote IP, 
local/remote port with which to identify the endpoints where this is happening. 
Pipe the tcpudmp output to a script that does the connection lookup via 
lsof/whatnot. And not only will they know which and how often, but *when*, and 
they can perhaps then correlate with other statistics to figure-out why the 
application was not keeping-up with the incoming traffic and so address root 
cause rather than symptom.

In theory, this (sans the immediate connection lookup) could even be done with a 
third system connected to a monitor port on the same switch as the server(s) in 
question, and not add any additional overhead to the servers, which if the 
application(s) are not keeping up may be somewhat CPU saturated already?

rick jones
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ