Statefull Inspection Table Full (2)

Discussion in 'LnS English Forum' started by qazwee, Nov 12, 2009.

Thread Status:
Not open for further replies.
  1. qazwee

    qazwee Registered Member

    Joined:
    Apr 8, 2007
    Posts:
    15
    Board does not allow me to replay in old thread so I will ask here ;)

    I'm using LnS 2.07 x64 and today I had very strange situation - internet connection suddenly stopped working and LnS log quickly started to fill with "Statefull Inspection Table Full" entries.

    Is registry patch from the 2 year old post still good?
    How I can check what is current SPI limit?
     
  2. Sterno

    Sterno Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    11
    yes it will increase spi connections from 256 to 1024 you will need to reboot after aplying reg patch
     
  3. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    To see the current number of simultaneous connections allowed, you visit 'Log' TAB/screen, and click 'Connections' button on the bottom. On the bottom of the "TCP Connection States" screen, see 'Number of connections'.



    Regards,
    Phant0m``
     
    Last edited: Nov 17, 2009
  4. qazwee

    qazwee Registered Member

    Joined:
    Apr 8, 2007
    Posts:
    15
    Thanks Sterno & Phant0m.

    "Statefull Inspection Table Full" message does not show anymore.


    @Phant0m
    Ok, I found it under Log tab -> connections ;)
    It says - Number of connections: 37/1024.
    Not even close to default (256) limit o_O

    While I was looking at Log tab one strange thing catched my eye.
    It appears that your V8 ruleset 'abuse' log alot.
    Yesterday log had 113685 entries and 90% of them being "UDP : Auth. communications".

    Is that normal?
    Should I turn off logging of that event?

    I was suspecting that Azureus is responsible for this, but it uses different UDP port (62322).

    If you have time, in attachment is log for yesterday. Just strip off log extension and unzip to get proper log file.

    Also right now looknstop.exe using 99Mb of RAM. I could swear that normal value was 10-20MB. Maybe because of increased log size or bigger SPI table?
    But on the other hand, today values not high - log: 5000 for 17h timespan and SPI is 37/1024.

    PS OS is Win 7 x64
     

    Attached Files:

  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi qazwee,

    You don't see it because you already applied the registry tweak, hence the reason for not seeing the 'default' 256 limit.

    It's not "'Abuse' log alot", it's simply indicating you haven't configured the ruleset for this p2p software. If now you feel there's a slowness directly relating to these blocked packets, you have to create Azureus rule for it.

    It's surely does seem the extended loggings could be the culprit for the additional MB usage of RAM.

    Normally it's better to create rule to authorize the p2p traffic, and have it apply only when running the p2p application.




    Regards,
    Phant0m``
     
  6. qazwee

    qazwee Registered Member

    Joined:
    Apr 8, 2007
    Posts:
    15
    Hi Phant0m,

    I was refering to low current SPI number (37 out of max 1024) as it seems that default 256 would suffice, but it's not the case.

    I was running both Azureus and uTorrent at that time seeding about 50 torrents just to test things.

    About "abusing" thing I did not intend to offend anyone. I think your ruleset is very good. Reporting almost everything to log is also good.

    As for p2p rule, I did open one port for each p2p application I use.
    Do you have any other suggestions ?

    About memory usage...
    6 hours ago I restarted my computer and looknstop.exe right now using 9.6MB of RAM, log have 2748 lines.
    Maybe because I currently don't downloading anything and seed just few things.
    There's not too many UDP: Auth. communications lines, and are mainly caused by cfosspeed application.

    PS Please can you give some comments on log attached in my previous post?
     
    Last edited: Nov 17, 2009
  7. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    When you got this number, was the "Only ongoing connections" checked ?
    About memory usage...
    When you reported 99Mb, it would have been interesting to know the number of lines in the log tab.
    If the log tab was containing all the log file you sent (or even maybe just 10% of it since it is very big), then it is normal to have this kind of memory usage.
    Did you change the option to limit the number of entries in the log tab ?

    It is not caused by the increase of the SPI table size because this affects only the driver (and anyway it doesn't require so much memory).

    Regards,

    Frederic
     
  8. qazwee

    qazwee Registered Member

    Joined:
    Apr 8, 2007
    Posts:
    15
    No.
    Log limit is 5000 (default).

    Memory usage is 92.8MB right now.
    looknstop.exe started 4 days, 6h ago (same session as in my previous post)

    If you have any suggestions/test just let me know.

    I'm testing Vuze (Azureus) and it behave very strange sometimes.
    For example in one session it opened 400+ tcp connection regardless of max global connections limit being set to 50.
    Also on one occasion (when I was actualy monitoring LnS log) after I stoped torrents and close client, it caused a burst of "UDP Auth. communications" lines. It was more than 10K+ before I realised what is going on and turned off logging for that event. Lines are piling up faster then I could read them.

    How much impact on speed and memory consuption have number of connections, number of log entries or SPI limit ?
    What happens when I (just for example) raise limit of SPI to lets say 10K ?
     
    Last edited: Nov 21, 2009
  9. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Only the number of log entries is supposed to consume memory.
    Number of connections, and SPI don't consume memory.

    The impact of the log entries is simply linked to the size of the packets that are logged. With 5000 entries max, you should not get a memory usage of 90MB. So there is probably another problem or explanation.

    Maybe there is a problem when automatically removing the log entries, or when handling bursts. The log you posted was showing you got 168138 entries (even if only 5000 are supposed to be kept), so there could be a relation between this number and the memory usage. It would have been interesting to know this number for the last case you reported.
    I suggest you remove the logging for some rules to not get a high number of entries, to see if it makes a difference.

    Regards,

    Frederic
     
  10. qazwee

    qazwee Registered Member

    Joined:
    Apr 8, 2007
    Posts:
    15
    I checked few times and log tab always keep up to 5000 entries.

    Under options tab I have "Log files" checked and have set "Remove log files which are 7 days old".
    So LnS should keep on disk log for whole day(s), and only display last 5000 entries.
    Log I posted is one of the daily archived logs. Hence 168K lines.

    About memory footprint - I tried to clear the current log but memory consuption stayed the same. It seems that looknstop.exe does not release memory at all. If in one moment consume some amount of memory its unlikely that in the next period go below that amount. At least I never seen that.

    Currently I have 4GB of RAM so it's not big deal for me if LnS consume almost 100MB.

    I already turned off logging for that "UDP Auth. comm." rule as Vuze client causes too much log entries. Later I will restart computer to see if there's any changes and probably in a few days I will stop using using Vuze client so we can check if that makes difference. I guess it will.

    PS about memory consumption:
    looknstop.exe - private bytes = 96252K, max private bytes = 98548K,
    so it may release some memory but not much.
     
  11. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    It is not normal anyway to use so much memory.
    If the memory usage is now stable, and few log entries were added, we could already make some correlation.
    Ok, this will be the real test. It will confirm (or not) if the problem is related to automatically removing log entries when it goes over 5000.
    Please report both information: the number for the last log entry, and the memory usage.

    Thanks,

    Frederic
     
  12. Sterno

    Sterno Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    11
    my LNS is also using 90mb of memory :( its been up about 8 days
     
  13. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    How many entries do you have in the log ?
    What is the numbering of the recent entry ?

    Thanks,

    Frederic
     
  14. Sterno

    Sterno Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    11
    it dont seem to make any difference in whats in the log here is my recent log
    60mb after 1 full day
     

    Attached Files:

    Last edited: Dec 3, 2009
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    What program uses UDP port 61059? You should either silently block or allow these packets. ;)
     
  16. Sterno

    Sterno Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    11
    utorrent uses 61059 but i dont think it does udp
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    That must be user-defined port, .. no, uTorrent uses TCP and UDP.
     
  18. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    There was anyway a lot of entries (22855), it's better to create a specific rule for port 61059, to limit this number and to verify the memory usage is not so high with this setting.

    Frederic
     
  19. Sterno

    Sterno Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    11
    i do have a utorrent rule configured for 61059 its active when utorrent is running and blocks when its not
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    But it isn't covering UDP packets... or at least it wasn't as shown in your Look 'n' Stop log file. ;)
     
  21. Sterno

    Sterno Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    11
    utorrent doesnt support UDP untill the version 2 beta and im using 185
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Your thinking about μTP feature I believe...

    ... see the attached screenshot, you see UDP packet loggings? They are from uTorrent v1.8.5. ;)



    Regards,
    Phant0m``
     

    Attached Files:

  23. Sterno

    Sterno Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    11
Thread Status:
Not open for further replies.