It looks like <b>tcp.ssn_memcap_drop | Detect | 6019 </b>is starting to add up now too.<div><br></div><div>Thanks!<br><br><div class="gmail_quote">On Fri, Jun 8, 2012 at 1:09 PM, Brandon Ganem <span dir="ltr"><<a href="mailto:brandonganem+oisf@gmail.com" target="_blank">brandonganem+oisf@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><div><i>Up your memcap settings to 4GB each and see if the numbers improve.<br>Both memcap drop stats should be zero when everything's right. </i></div>
<div>Done</div></div><div><div><br>
</div><div class="im"><div><i>This is odd. Your stream related memcap is 1GB, yet this shows 6GB in<br>use? Which again doesn't seem to match the memory usage you seem to be<br>seeing for the whole process. Smells like a bug to me... </i></div>
<div><i><br></i></div></div></div><div class="im"><div>Let me know if you want me to compile in some debugging features. If I can provide any additional information let me know.</div><div><br></div></div><div><font color="#222222" face="arial, sans-serif">CPU / MEM: ~50-125% (similar to before) ~2-2.6GB(similar as well.)</font></div>
<div class="im">
<div>Suricata has only been running for a few minutes, but here is a new stats.log:</div></div><div><div class="im"><br><div>tcp.sessions | Detect | 464890</div><div><b>tcp.ssn_memcap_drop | Detect | 0 (maybe better, it may have to run for a while to start adding up though?)</b></div>
<div>tcp.pseudo | Detect | 10567</div></div><div class="im"><div style="color:rgb(80,0,80)"><div>tcp.invalid_checksum | Detect | 0</div><div>tcp.no_flow | Detect | 0</div>
</div></div><div><div class="h5"><div>tcp.reused_ssn | Detect | 0</div><div>tcp.memuse | Detect | 141604560</div><div>tcp.syn | Detect | 465555</div>
<div>tcp.synack | Detect | 233829</div><div>tcp.rst | Detect | 46181</div><div><b>tcp.segment_memcap_drop | Detect | 1281114 (I don't think this is impoving)</b></div>
<div><b>tcp.stream_depth_reached | Detect | 70 (Looks like this is still going up</b></div><div>tcp.reassembly_memuse | Detect | 6442450806 <b>(still 6GB not 4GB)</b></div>
<div><b>tcp.reassembly_gap | Detect | 44583 (Still going up)</b></div><div>detect.alert | Detect | 25</div><div>flow_mgr.closed_pruned | FlowManagerThread | 150973</div>
<div>flow_mgr.new_pruned | FlowManagerThread | 207334</div><div>flow_mgr.est_pruned | FlowManagerThread | 0</div><div>flow.memuse | FlowManagerThread | 41834880</div><div>
flow.spare | FlowManagerThread | 10742</div><div>flow.emerg_mode_entered | FlowManagerThread | 0</div><div>flow.emerg_mode_over | FlowManagerThread | 0</div><div>decoder.pkts | RxPFR1 | 17310168</div>
<div>decoder.bytes | RxPFR1 | 7387022602</div><div>decoder.ipv4 | RxPFR1 | 17309598</div><div>decoder.ipv6 | RxPFR1 | 0</div>
<div>
decoder.ethernet | RxPFR1 | 17310168</div><div>decoder.raw | RxPFR1 | 0</div><div>decoder.sll | RxPFR1 | 0</div><div>decoder.tcp | RxPFR1 | 15519823</div>
<div>decoder.udp | RxPFR1 | 210</div><div>decoder.sctp | RxPFR1 | 0</div><div>decoder.icmpv4 | RxPFR1 | 1323</div><div>decoder.icmpv6 | RxPFR1 | 0</div>
<div>decoder.ppp | RxPFR1 | 0</div><div>decoder.pppoe | RxPFR1 | 0</div><div>decoder.gre | RxPFR1 | 0</div><div>decoder.vlan | RxPFR1 | 0</div>
<div>decoder.avg_pkt_size | RxPFR1 | 427</div><div>decoder.max_pkt_size | RxPFR1 | 1516</div><div>defrag.ipv4.fragments | RxPFR1 | 15</div><div>defrag.ipv4.reassembled | RxPFR1 | 5</div>
<div>defrag.ipv4.timeouts | RxPFR1 | 0</div><div>defrag.ipv6.fragments | RxPFR1 | 0</div><div>defrag.ipv6.reassembled | RxPFR1 | 0</div><div>defrag.ipv6.timeouts | RxPFR1 | 0</div>
<div><br></div><div><br></div><div>Here's what has been changed in the cfg:</div><div><br></div></div></div><div><div>flow:</div><div><b> memcap: 4gb</b></div><div class="im"><div style="color:rgb(80,0,80)"><div> hash-size: 65536</div>
<div> prealloc: 10000</div><div> emergency-recovery: 30</div><div> prune-flows: 5</div></div></div></div><div><br></div><div><div>stream:</div><div><b> memcap: 4gb</b></div></div></div><br><div class="gmail_quote"><div class="im">
On Fri, Jun 8, 2012 at 12:31 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>
</div><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 06/08/2012 05:59 PM, Brandon Ganem wrote:<br>
> tcp.reassembly_memuse | Detect | 6442450854<br>
<br>
This is odd. Your stream related memcap is 1GB, yet this shows 6GB in<br>
use? Which again doesn't seem to match the memory usage you seem to be<br>
seeing for the whole process. Smells like a bug to me...<br>
<span><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
</font></span><div><div><br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div></div></div><br>
</blockquote></div><br></div>