[flow-tools] Large memory footprint of flow-stat -f11
Roland Rosenfeld
rrosenfeld@netcologne.de
Sun, 26 Jan 2003 14:24:53 +0100
Hi!
One of our customers seems to have got a Trojan, which scans half the
world with 40 byte TCP packages.
This results in a netflow file of 16MB size (15 minutes), which mainly
contains these scans. The file contains 3369300 flows, which isn't
that much, but if I feed this netflow file into flow-stat -f11 (from
flow-tools 0.62), the flow-stat process grows to 184MB. I didn't
already look into the code, but this process size seems to be a little
too large to me. Is this a memory leak or isn't it a good idea at all
to use flow-stat -f11?
With the above 16MB file, this isn't a problem to me, but I used
flow-cat to feed a hole day into flow-stat -f11, which resulted in
growing flow-stat to 850MB before it began to swap, which brought the
performance of flow-stat down (say: after 24 hours I killed the job
because every 15 minute flow file took more than 6 hours (exponentally
increasing) to process).
Tschoeeee
Roland