Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Performance: export after nsrlsvr analysis very slow #1047

Open
2 tasks
joachimmetz opened this issue Oct 16, 2016 · 3 comments
Open
2 tasks

Performance: export after nsrlsvr analysis very slow #1047

joachimmetz opened this issue Oct 16, 2016 · 3 comments
Labels
needs closer look Issue that requires further analysis by a maintainer tools Issue related to the tools

Comments

@joachimmetz
Copy link
Member

joachimmetz commented Oct 16, 2016
edited
Loading

While running:

psort.py --analysis nsrlsvr --nsrlsvr-hash md5 --nsrlsvr-host 127.0.0.1 --nsrlsvr-port 9120 -w output.log --disable-zeromq test.plaso

The export after the analysis is very slow, a couple of events per update cycle.

To do:
@joachimmetz joachimmetz added the needs closer look Issue that requires further analysis by a maintainer label Oct 16, 2016
@joachimmetz joachimmetz self-assigned this Oct 16, 2016
@joachimmetz joachimmetz added the tools Issue related to the tools label Oct 16, 2016
@pettai
Copy link

pettai commented Dec 7, 2016
edited
Loading

+1
I've noticed this too. Same if you run a second psort run with another analysis plugin, eg. tagging

@pettai pettai mentioned this issue Dec 7, 2016
Closed
@kinky-it
Copy link

The slow export speed after running nsrlsvr analysis is caused by the fact that (in plaso 1.5.1), the zip file with tags is opened for each retrieval of a tag (zip_file.py#L1826). For dump files with large sets of tags (typically, after running the nsrlsvr analysis plugin), this causes the zip file to be opened thousands of times.

Even if the zip file with tags would be kept open, the lack of seek support in the zip stream would cause similar troubles. It would cause the zip to be reopened every time that the tag offset in the index is non-sequential. Reading the zip file just once and keeping it open as a memfile fixes the problems, and speeds up the export tremendously.

Not sure, and have not checked thoroughly, but it seems that this is fixed in master already.

@joachimmetz joachimmetz removed their assignment May 23, 2018
@joachimmetz joachimmetz added this to the 2018 June release milestone May 23, 2018
@Onager
Copy link
Contributor

Onager commented Sep 19, 2018
edited
Loading

Not making September release, removing milestone.

@Onager Onager removed this from the 2018 September release milestone Sep 19, 2018
@joachimmetz joachimmetz mentioned this issue Oct 2, 2021
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs closer look Issue that requires further analysis by a maintainer tools Issue related to the tools
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Onager @pettai @joachimmetz @kinky-it