[Oisf-devel] Question about the stream management module (StreamTcp)
Victor Julien
victor at inliniac.net
Tue Jul 8 08:19:10 UTC 2014
On 07/07/2014 05:04 PM, Anoop Saldanha wrote:
> On Mon, Jul 7, 2014 at 3:30 AM, Asim Jamshed <asim.jamshed at gmail.com> wrote:
>> Hi,
>>
>> I have recently started using Suricata and have been browsing
>> the code. I have had previous practical and slight development
>> experience with Snort IDS. In specific, I have been trying to
>> analyze Suricata's stream management module. I haven't been
>> able to find enough documentation to answer a few questions I
>> had regarding the reassembly section of the module. The code
>> itself is somewhat complicated to follow. Therefore I am posting
>> the questions here. I apologize in advance if these questions
>> were previously asked as well.
>>
>> Q1. For a large (active) TCP flow, how many bytes (or segments)
>> does the module collect before it flushes it to the detect module.
>> I know that this variable can be adjusted via configuration file but
>> what is the default value? What is the name of the config variable
>> that can help me in changing that value?
>>
>
> If unspecified in the config file, it's 2560, else it's specify by the
> toserver-chunk-size option in the config file.
>
By default some randomization is added as well, it will list the value
that is actually used at startup (if you use -v):
[10054] 8/7/2014 -- 10:18:33 - (stream-tcp.c:570) <Info>
(StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2634
[10054] 8/7/2014 -- 10:18:33 - (stream-tcp.c:572) <Info>
(StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2440
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list