[Oisf-users] Suricata and tcp.reassembly_gap

[Peter Bates]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

Back again with more questions.

I'm testing the latest Suricata from GIT (I'm presuming it is mostly
the same as 1.3rc1).

Debian 6, using AF_PACKET (although I also built with PF_RING)
on a box with e1000e NIC and a Gigabit link which is only seeing
around 75Mbits/sec (according to pfcount).

Date: 6/30/2012 -- 13:27:11 (uptime: 0d, 00h 04m 06s)
tcp.reassembly_gap        | Detect                    | 1887
detect.alert              | Detect                    | 3
capture.kernel_drops      | RxAFP1                    | 0
Date: 6/30/2012 -- 13:27:18 (uptime: 0d, 00h 04m 13s)
tcp.reassembly_gap        | Detect                    | 2001
detect.alert              | Detect                    | 3
capture.kernel_drops      | RxAFP1                    | 0

[24168] 30/6/2012 -- 13:23:05 - (source-af-packet.c:850) <Info>
(AFPCreateSocket) -- Setting AF_PACKET socket buffer to 724280
[24167] 30/6/2012 -- 13:23:05 - (tm-threads.c:1973) <Info>
(TmThreadWaitOnThreadInit) -- all 4 packet processing threads, 3
management threads initialized, engine started.

Will increasing the AF_PACKET buffer see my reassembly_gaps
decrease/disappear?

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP7vGPAAoJELhVoVpEMS6R7GQH/0AbPaiA2iNvHsc6W0kneRrM
qE3wOa+143QMUU2gqA1lLx7d1CtAyAgyoHHb8Bs1qrqDqoHqtDPOHLxm1txzFK55
MQPBXT63UGcRTGLDC/y8i7za3/bb9KV3SyPAnSfiUiksc8fAS1fB85KreLT8DOhj
HozvIcQc1QUufMV1abWams2NeVzjf2CzF5jkRZdWgYVLHx+R1FNOSIDqsf4z955Z
GCkQ5kGPz0dP+MG5VFqNEvlQ3rpVBBhapeFlBdSYWbedBfs6K9/OhDQOYuoK5K8T
1iHHEPGUTv3w8sYkDxjX57LoSWWdKlyDDaeJQB71mXX6ZOI6UzzcBfkfpHxPpLs=
=Rryy
-----END PGP SIGNATURE-----