Hi Peter,<br><br>try tweaking the following:<br><blockquote style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">flow:<br> <b>memcap: 4gb</b><br> hash-size: 131072<br>
<b>prealloc: 50000</b><br> emergency-recovery: 30<br> prune-flows: 5<br></blockquote><br>then also:<br><br><blockquote style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
stream:<br> <b>memcap: 8gb</b><br> <b>max-sessions: 1000000<br> prealloc-sessions: 500000</b><br> checksum-validation: no # reject wrong csums<br> inline: no # no inline mode<br> reassembly:<br>
<b>memcap: 4gb</b><br> <b>depth: 2mb </b> # reassemble 1mb into a stream<br> toserver-chunk-size: 2560<br> toclient-chunk-size: 2560<br></blockquote><br>but try out different values and see which one is best for you/your traffic.<br>
<br><br><br>thanks<br><br><br><br><div class="gmail_quote">On Sat, Jun 30, 2012 at 2:58 PM, Peter Bates <span dir="ltr"><<a href="mailto:peter.bates@ucl.ac.uk" target="_blank">peter.bates@ucl.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
</div>Hello again all<br>
<div class="im"><br>
On 30/06/2012 13:31, Peter Bates wrote:<br>
> Will increasing the AF_PACKET buffer see my reassembly_gaps<br>
> decrease/disappear?<br>
<br>
</div>Okay, so I increased the AF_PACKET buffer to 1Gb and I'd forgotten<br>
about the checksum/NIC settings as mentioned at<br>
<a href="http://securityonion.blogspot.co.uk/2011/10/when-is-full-packet-capture-not-full.html" target="_blank">http://securityonion.blogspot.co.uk/2011/10/when-is-full-packet-capture-not-full.html</a><br>
<br>
Things are looking healthier:<br>
<br>
Date: 6/30/2012 -- 13:57:18 (uptime: 0d, 00h 12m 00s)<br>
tcp.reassembly_gap | Detect | 11<br>
detect.alert | Detect | 0<br>
capture.kernel_packets | RxAFP1 | 6628005<br>
capture.kernel_drops | RxAFP1 | 1186<br>
<div class="im"><br>
- --<br>
Peter Bates<br>
Senior Computer Security Officer Phone: <a href="tel:%2B44%280%292076792049" value="+442076792049">+44(0)2076792049</a><br>
Information Services Division Internal Ext: 32049<br>
University College London<br>
London WC1E 6BT<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (Darwin)<br>
Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
</div>iQEcBAEBAgAGBQJP7vfmAAoJELhVoVpEMS6R8e8H/iGAjvLYIw2B7cWR+Etuf0cB<br>
D4Qlt2ME/au2w0RFxqjA6HSD5BRh+gSJwsQwVBOp5rYqeaJrz9qkB6QXSd4RxF73<br>
H4/jg9pACZFeuLanmu5nY1I7cqbbufuz22ZB2izy782mYEF3M1cIMuI2ZYSBzQWM<br>
iKLk44McwtDSLzQjsxia8vuB+JLeNy8i1yjdhJjJ+wKZJBMK/5TElxIzSwnDrnqO<br>
vrXc3aPL9mo4MjmdWob61mQob6b7cnCnK3d3oL9mEtwAe38AEKjbiZ0fTLp0e1Ud<br>
zF6ZKV7YghFZJS3+/DEHIyGzUw71s/9IMx+8M+L618iuhOspKagvIZ2urzvfl0o=<br>
=GdU9<br>
<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>