Siege Frequently Asked Questions

Why Do I Need It? ^

Siege was designed to stress test and benchmark webservers. You need it examine the performance and efficiency of your code under duress. Siege provides mechanisms to control the number of simulated hits on a webserver over a controlled period of time. Use siege to save yourself future embarassment.

Where is the latest version? ^

The latest version of siege is available via anonymous ftp from Links are available to the mirrors on the top of every frame. There are two links to the Austin, TX site. The first is FTP and the second is HTTP for those behind oppressive, non-user friendly firewalls.

What platforms does it run on? ^

Siege has been compiled and run on AIX 4.x, GNU/Linux 2.2.x, HP-UX 11.x, and Solaris 2.x. Siege relies on UNIX-centric functionality. Due to this fact, it will not run on natively on Microsoft Windows. No problem. You can run it under cygwin.

Hey! I tried running it, but it doesn’t work… ^

‘man siege’ is a good place to start. You probably have a configuration problem. Run “siege -C” to view your current working configuration. If the output of that command indicates that you do not have a resource file, .siegerc, then run “siege.config” to generate one. You can configure siege so that it will run properly by either setting command line options or by editing the resource file.

What’s the Bull Dog’s name? ^

The original spokes model for was Limey Tango Jones. Sadly, he passed away in 2008. He was nearly thirteen years old. He left some mighty big shoes to fill … The newest spokes model is Pommie Tango Jones. He never met a tennis ball he didn’t like. If YOU have an English bulldog, please send us a link to his pictures. (We know you have some…)

Can I stress cgi-bin programs? ^

Yes. If they accept GET, you can just build your URLs with the form values like this:

If they accept POST, then you have to construct your URL with the POST directive like this: POST name=bart&last=simpson

If you are using the POST directive at the command line, you will have to put quotes (“”) around it. The quotes are not necessary if the URL is in the urls.txt file.

Does siege support HTTP/1.1 protocol? ^

Mostly. Support for protocol 1.1 has trickled in gradually. Starting with v2.03, an option was added to .siegerc to enable 1.1 protocol. Overtime, features of the protocol have gradually slipped into the program. The default protocol is now 1.1. To switch to 1.0 protocol make sure this directive is in your .siegerc file: protocol = HTTP/1.0.

Features of 1.1 protocol not yet supported by siege:

  • Pipelined connections
  • 100 Continue
  • Support for persistent connections is poor. Siege prefers Connection: close

I chose HTTP/1.0 protocol but Siege is reporting 1.1 ^

Several HTTP/1.1 compliant servers return headers that read HTTP/1.1 even though the client requested HTTP/1.0. Don’t worry, the server is executing the selected protocol despite the fact that it is reporting otherwise. (Bug? Feature? Who knows?)

If Siege supports HTTP/1.1 protocol why would I choose 1.0? ^

There are numerous reasons, actually. Perhaps the biggest reason for choosing 1.0 is to avoid skewing benchmarks. Some HTTP servers IGNORE the client’s close directive on a redirect. If this occurs, the siege instance will “hang” with an open socket until the server finally closes it. This could take up to 30 seconds, a number that obviously skews your benchmark. If you notice siege instances hanging for extended periods of time, you probably want to switch to 1.0 protocol. For the most part, you probably want to use 1.1

Does siege support the POST directive ^

Yes. As of siege-2.06 the POST directive is supported. You will need to construct your URLs in the following manner: POST first=lisa&last=simpson POST user=home&password=secret

Siege 2.65 added support for posting file contents. To post a file, use the redirect character: POST < /path/to/file

NOTE: this is not a multi-part file POST. Siege does not currently support that feature. Versions prior to 2.67 sent “application/x-www-form-urlencoded” as the default Content-type. Newer versions map the file extension to the appropriate content-type. In the example above, siege will send “Content-type: text/xml”. The complete map is in src/load.c.

If you run POSTS from the command line, make sure you wrap the URL with quotes.

siege -g “ POST user=howard&pass=stern”

DO NOT quote URLs in the urls.txt file!!!!

Why doesn’t my POST work? ^

The most common mistake we see occurs when people post to the file instead of the FORM action. In other words, if haha.jsp contains a FORM whose action is the servlet UserAuth, then you must construct your URL to post to UserAuth, NOT haha.jsp.

Why does siege POST data that is smaller than the size of my post file? ^

Siege chomps excessive white space, carriage returns and newlines from the POST data contained within a post file that has been fed to the application with a redirect character: “ POST < /my/file.txt” Therefore it is possible that siege will post less data to the server than it has read from the file.

Does siege support HTTPS protocol? ^

Yes it does. But it requires additional work on your part. You have to download openssl from and compile it and install it on your system. You will have to reconfigure and rebuild siege to use the openssl libraries. Consult the installation instructions for more details. In a nutshell, if you have ssl installed, then build siege like this: ./configure –prefix=/some/dir –with-ssl=/path/to/ssl make make install

Is the siege HTTPS support secure? ^

It is not as secure as it could be. Not all systems have a /dev/random and I’ve chosen to seed the entropy pool in the highly portable manner. Technically the method used is not as secure as it could have been. But siege was developed as a pre-production testing tool. It is not intended to handle sensitive data transactions. Use siege to test your https code in development, not in production.

Can I run siege for a pre-determined period of time? ^

Yes. The frequency of this question has waned which I hope means that this option is no longer confusing. The format for time based testng is this: -tNUMm where NUM is an integer value and “m” is the modifier H, M, or S for hours minutes and seconds. Therefore if you want to run siege for two hours you could invoke it in any of the following ways:

-t2H -t120M -t7200S

NOTE: The modifier is NOT case sensitive, therefore -t2H is the same as -t2h.

How many concurrent users should I use? ^

Integrity testing: I can count on one hand the number of times I found a problem with 800 simulated users that I wouldn’t have found with 25. If your programmers aren’t reclaiming resources such as database connections, you will identify those problems with repetitive hits to the troublesome application. Do yourself a favor, during integrity testing, keep the users under 100. You’re more likely to create a mess than identify a problem. Capacity testing: Regression testing is a good method to measure your web server’s load capacity. Bombard is a siege wrapper that stair steps increasing amounts of load and charts the results. Work the number of concurrent users up slowly. Too frequently, we receive gripes from people who’ve made a mess with high levels of concurrent users. If you schedule more users than your webserver is configured to handle, then of course you’ll make a messs. An HTTP server handles a fixed number of incoming requests. A pre-forking server has a limited number of child processes (MaxClients) and a threaded server has a fixed number of threads (MaxThreads). A server can handle up to its maximum number of handlers, no more. Once its handlers are exhausted, socket connections are queued by the OS. They wait for the next available handler. If the httpd server is overwhelmed by more users than it can handle, sockets will timeout before they ever get a handler. Siege reports a timeout, a browser reports “Connection refused.” If the server is completely inundated, the OS may not have enough resources to even make a socket. If you scheduled so many siege clients that you’ve reached this point, then you’ve made a complete mess. Congratulations. Please don’t email us with complaints.

If you want to measure your code under load that reflects your site’s traffic, then you should schedule concurrent users based on current traffic. An access log analyzer like webalizer (free) or WebTrends (expensive) can help you determine that load. If your site peaks at 100 hits every five seconds, then use these parameters to invoke siege: -c100 -d5. For 50 hits a second you would run it like this: -c50 -d1. We’ve had people ask about configurations like -c1000 -d1. A single pre-forking apache server cannot handle such load without modification. It has a hardcoded limit of 256.

What does “Error: system resources exhausted” mean? ^

This error occurs when you’ve selected a number of simulated users which is greater then your system can handle, i.e., you’ve run out of memory. The other likely scenario is that you’ve selected a number of simulated users which is greater then the number of processes your UNIX account is allowed to run. This is likely when a non-root user attempts to run more then 256 siege users on most commercial UNIX systems. You can run siege as root to get around this problem or you can have your administrator increase the number of processes you are allowed to run. Keep in mind that -c256 -d1 translates to roughly 47,000 unique visitors per day.

How Does Siege Calculate Concurrency? ^

Concurrency is the total transactions divided by total elapsed time. So if we completed 100 transactions in 10 seconds,  our concurrency was 10.00. This blog entry provides more details which should help you understand this metric.

Does siege support cookies? ^

Netscape cookie support was added to siege-2.00; it does not support RFC 2965 cookies. This feature was “Microsofted” in that it shipped with a known issue: siege ignores path information and returns cookies based on server and domain. All cookies will be discarded after the run, they are not stored locally on disk. Cookies will be expired during the run as per the Netscape expire directive. The primary concern with regard to cookie support was to maintain state with the server. Siege supports that feature nicely.

Can I run siege with multiple resource files? ^

Yes. The siege resource file is located in your home directory It is called .siegerc If you don’t have a resource file, you can run “siege.config” to generate one. This file contains a runtime configuration. You may run siege with an alternative resource file in one of several ways, with an command line argument or an environment variable.

At run time siege searches for a resource file in the following manner. It checks to see if one was named with a “-R filename” argument. If that argument was not invoked, siege will check for a SIEGERC environment variable. Finally it will rely on a $HOME/.siegerc file. You may set an environment variable like so: export SIEGERC=/home/jeff/etc/siege.conf

To make sure siege is using that file, run “siege -C” to view the configuration. You can set up several sieges with shell wrappers:

  1. !/bin/sh

export SIEGERC=/home/jeff/etc/siege_one.conf /home/jeff/bin/siege

export SIEGERC=/home/jeff/etc/siege_two.conf /home/jeff/bin/siege

export SIEGERC=/home/jeff/etc/siege_thr.conf /home/jeff/bin/siege

Can I run siege with multiple IP addresses from the same machine? ^

Yes. The best solution we’ve found comes to us from Robert Hartman although it is GNU/Linux specific and it requires IP tables support. Basically there are two steps.

1.) Add IP aliases. Example:

  1. !/bin/sh

for i in `seq 1 254` do

  ifconfig eth0:$i 192.168.1.$i;


2.) Reverse NAT with iptables. So that the Linux kernel acts as a client from more than one IP address use iptables to do reverse natting. Example:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to

NOTES: This method can be used for Class B address spaces as well with proper masking on the eth0 interface. Robert tested this to work with 2500+ IPs on a single ethernet card. You can contact Robert via email: “robert at roberthartman dot net”

What is the easiest way to build a urls.txt file? ^

There are two supported utilities that can help you build a urls.txt file. One is sproxywhich is a functional HTTP proxy server that collects URLs including POST and GET data in a “siege-friendly” format and a second is logparse which parses URLs from an apache-style access_log and builds a siege-style urls.txt file. NOTE: logparse will build one URL for each entry in the access_log. It is recommended that you run logparse on a subset of access_log. Another unsupported utility is available. Scout surveys a webserver and prepares the urls.txt file for a siege.

How can I be notified when a new release is available? ^

The simplest way to do this is to subscribe to updates on freecode. Click here and choose “subscribe” in the project menu.

Where is the license information? ^

Siege is published under the GPL, the GNU Public License. A copy of that license is included in every siege distribution in the file called “COPYING.” Click here for more information about the GPL.

Are siege binaries available? ^

Yes. On Ubuntu systems connected to the Internets, you should be able to run “apt-get install siege”  to install the software. Debian also makes siege available in its networked repositories. AIX binaries are availble from Public Domain Software Library for AIX.  Less recent binaries are also distributed for Solaris 2.5.1, 2.6, 7, 8/SPARC; HP-UX 10.20, 11.00; Tru64 UNIX 4.0D, 5.1; IRIX 6.5 and AIX 4.3.2 by The Written Word.

Posted in | 34 Comments

34 Responses to “Siege Frequently Asked Questions”

  1. I wanted to download the Bombard tool, so that I can create charts of the results but it seems that the URL is not working:

    The record is a CNAME to which redirects to and it is down:

    ping -c5
    PING ( 56(84) bytes of data.

    — ping statistics —
    5 packets transmitted, 0 received, 100% packet loss, time 4028ms

    Could you please provide another link to download the tool.

    Kind Regards,
    Daniel K.

  2. How siege to generate the test report says:

    How the siege to generate the test report,such as .txt , csv.

  3. Steve McQueen says:

    “Keep in mind that -c256 -d1 translates to roughly 47,000 unique visitors per day.”

    How does that calculation work? How do you know how much transactions a unique visitor makes? Isn’t that highly variable?

  4. B. says:

    Hi, I have a problem with https:
    siege -g https://localhost
    [alert] unsupported protocol
    [fatal] URL is invalid or unsupported

    ./configure –with-ssl=/etc/ssl

    checking for ssl support… yes
    checking /etc/ssl/include/openssl/opensslv.h usability… no
    checking /etc/ssl/include/openssl/opensslv.h presence… no
    checking for /etc/ssl/include/openssl/opensslv.h… no
    checking /usr/include/openssl/opensslv.h usability… yes
    checking /usr/include/openssl/opensslv.h presence… yes
    checking for /usr/include/openssl/opensslv.h… yes
    checking for OpenSSL version… >= 0.9.8 (appropriate flag set)

    Please help.


    • B. says:

      The problem is present in version 2.72 but not in 2.70 in combination with ubuntu 12.04.
      Version 2.70 works fine with https.


      • Jeff Fulmer says:

        Interesting. I don’t think anything changed with regard to the way siege interfaces openssl in those two versions. It’s not clear why you’re directing configure to /etc/ssl since it’s clearly not the appropriate location.

        BTW: On Ubuntu, you should be able to install siege with apt-get. They distribute it in their repository.

        • B. says:

          Thx for your reply.
          I tried the ubuntu (apt-get) version too, but it is version 2.70.
          @ssl: I tried some locations, after the correct location failed. Sorry, if there was a misunderstanding.

          2.70 works fine for me.


  5. Dario says:

    Thanks for developing this tool.

    I would like to use it to test a site with several concurrent users, but I need the URL file to be different for each user.
    Is there any way I can put a ‘token’ in the URL file that gets replaced by siege with (e.g.) a number unique for each concurrent user taking part to the siege ?

    • Jeff Fulmer says:

      Dario – no. Siege doesn’t have that capability and I can’t imagine adding it. While it could pretty useful it’s outside of the scope of this project.

      • Dario says:

        Thanks for the quick reply.

        I understand.
        Upon closer inspection I did find the option to define multiple login-url, which helps already.

      • MikeJ says:

        My need was somewhat similar. I want to have a repeatable set of URLs run (so –internet option was out) but I didn’t want every user to be issuing the same URLs at (roughly) the same time because otherwise too many responses were just coming from the cache. For my needs it was sufficient to just pick different offsets in the url file for each user. I’d love to see this capability in the tool. You’d probably want to wrap it in an option to avoid changing existing functionality but I made this simple modification to meet my needs.

        id * (my.length / my.cusers);
        < for (x = 0; x for (x = 0, y = 0; x < my.reps; x++, y++) {

        • MikeJ says:

          Looks like some of the diff output was treated as a comment and omitted. Trying one more time (patch to version 3.0.0 client.c):

          \id * (my.length / my.cusers);
          \< for (x = 0; x for (x = 0, y = 0; x < my.reps; x++, y++) {

  6. Chris James says:


    I am trying to post json as part of the body of the request. I cant seem to be able to accomplish this, is there an example of this working?

    Cheers, Chris

  7. Tiffany says:

    I have a question about the tool Bombard. I am trying to look for the documentation for it, but I can’t seem to find it. How do you use Bombard and where is the documentation for it?


  8. Tesla says:

    Hi, I am trying to run siege against an IIS server I have that has basic authentication set up. My URLS.txt file lists 4 different urls for siege to hit.

    When I run siege, I get the 401 errors initially (for the basic auth), and then it uses the credentials I provided in the config file to login and then continues to give 200 responses the rest of the time.

    My issue is, I would like siege to have to login once every time it goes through all of the urls in URLS.txt. I think this would mean deleting all the cookies after it goes through the list? I have tried setting the “expire-session” configuration to true, but that didn’t solve my issue. Any idea? Am I doing something wrong?

    • Jeff Fulmer says:

      I was going to recommend expire-session. It’s supposed to delete all the cookies. Maybe you could run the entire way through urls.txt file with one user (-c 1) and -D for debug. Then you can check to see what’s happening at the of the file.

      • Tesla says:

        I just did that. After the hitting the last url in the URLS, the debug message isn’t any different from the debug messages that appear after every hit. Nothing about clearing cookies (is there suppose to be a debug message saying cookies cleared?).

        There are just 3 debug lines, “attempting to connect to :”, “creating new socket: :”, and “good socket connection: :”

        Following this, it juts continues to loop back to the first URL.

      • Tesla says:

        Moreover, I saw no difference in debug messages when I set “expire-session” to true and false, as well as no difference in the resulting responses. If it makes a different, I am going through a proxy

  9. Jonah says:


    Like Chris, I would like to know if it’s possible to send JSON data in the body of a POST request? I am trying to test a login API that uses JSON. I have tried:

    siege -t5s -H “Accept: application/json” -H “Content-Type: application/json” “” POST <login.json

    where login.json is a file containing the JSON to be sent. The server gives a "0 hits" response even though it's working fine with a similar curl command.

    • Suhail says:

      Try siege -t5s -H “Accept: application/json” -H “Content-Type: application/json” “ POST” <login.json

  10. abhilash says:

    is it possible to test file upload? (multipart/form-data)
    i am not able to get the post content in $_FILES variable in php.

  11. Aethemba says:


    Great work on this tool. It works very well for me.

    I have a question regarding the verbose output of siege. It’s unclear to me what data is being shown in the output. For example, I get the following:

    HTTP/1.1,200, 0.14, 11462,/,0,2013-10-16 11:58:41

    My output contains more data than the documentation states as far as I can see. I looked in the documentation and the .seigerc file but to no avail. What exactly is the data?

    It seem so be something like: Http request, response code, ?, ?, url, ? , date. So, what are the question marks?



  12. lobatt says:

    Thanks for the awesome tool.
    I got one question though:
    I check the src code of __url_parse function, looks like HTTP DELETE method is not supported in current urls.txt format, hence below is not working: DELETE <./my.txt

    Is there any specific consideration on that?

  13. Gabriel says:


    I’m trying to use siege to simulate user requests in my network. When I change the user agent to captive wispr, I return a XML and users may be redirected to a captive portal. But siege raises a segfault when I do that.
    We’ve done a workaround in the src/client.c line 367 on 3.0.1 version to skip the if clause and after the if we commented the destroy_url call. Obvious it’s a workaround because we do not want to read the 302.

    Not only that, if the file has more than 1k+ lines it raises segfault too.

    If you want we can send a patch to you to fix that.

    Thanks for the awesome software.

  14. When someone writes an piece of writing he/she keeps the image of a consumer among his/her mind that how a user can understand it. So that why this paragraph is great. Thanks!

  15. This is a topic which is near to my heart… Take care! Where are your contact details

  16. Phacil says:

    I have been exploring for a bit for any high-quality articles or weblog posts in this
    kind of space . Exploring in Yahoo I ultimately stumbled upon this site.
    Studying this info So i’m glad to exhibit that I’ve an incredibly just right uncanny
    feeling I came upon exactly what I needed. I so much indisputably will make certain to do
    not put out of your mind this web site and provides it
    a look regularly.

  17. If some one needs expert view about running a blog
    after that i propose him/her to go to see this webpage, Keep up the nice job.

  18. Manokk says:

    Siege breaks POST request body on the first pound symbol “#” met. What’s wrong with this?
    SIEGE 2.72

  19. amgems says:

    I put a bunch of HTTPS urls in a urls.txt, and set keep-alive.
    I find that the first URL is processed, the second fails silently, the third is processed, ….
    What is happening is the socket remains open, but SSL_initialize() is called again on the already initialised session, sending a ClientHello on the already established SSL v3 session.

    This causes openssl to get upset, because once the initial SSLv2 ClientHello establishes the session running at SSLv3, the record format changes, and the subsequent SSLv2 record with second ClientHello fails a ssl version test. The 0×301 version in this record is interpreted as the length. The server sends an alert message with a wrong-version.

    The code I am looking at is 3.0.5, and __http() will call __init_connection() which will call SSL_initialise() using the same socket, but the second call to SSL_initialise() is wrong. There is no need to re-handshake. If you do, for some reason, want to re-negotiate, there is an SSL_call() to request that, but it is not needed at this point.

  20. amgems says:

    Made this change to SSL_initialise:

    if (C->ssl) {
    return TRUE;

    Now I get 100% hit rate and I get keep-alive-style session reuse.

    • Jeff Fulmer says:

      At ssl.c:72 I initialize C->ssl to null. Are you telling me you placed that condition right before the declaration like this:

      if (C->ssl) {
      return TRUE;

      C->ssl = NULL;
      C->ctx = NULL;
      C->method = NULL;
      C->cert = NULL;

Leave a Reply