<div dir="ltr">Hi,<div><br></div><div>I'm playing around with Suricata, and want to reduce the number of drops.</div><div><br></div><div>I have 1000Mbits/s traffic and a server with 12 cores and 12GB of RAM. The objective of this sensor is to get HTTP and DNS logging and it only has a bunch of very simple rules for file extraction.</div><div><br></div><div>I'm using PF_RING, and recently switched to "workers" runmode, which reduced my packer drop rate (capture.kernel_drop statistic) to around 5-6% with 6 worker threads.</div><div><br></div><div>My memcaps are:</div><div>defrag.memcap = 32mb</div><div>flow.memcap = 256mb</div><div>stream.memcap = 7gb</div><div>stream.reassembly.memcap = 3gb</div><div>stream.reassembly.depth = 8mb</div><div><br></div><div>Below there's an excerpt of my latest stats. </div><div><br></div><div>I have some questions:</div><div><br></div><div>* What does exactly "tcp.reassembly_memuse" mean and in which units it is measured? If it's measured in bytes the value means more than 18 Exabytes !!!</div><div><br></div><div>* I believe "tcp.segment_memcap_drop" means packets received by suricata (thus counted in "capture.kernel_packets" but couldn't get to the (stream or reassembly?) processor for further treatment. Which processor is the right one? How can I reduce its value?</div><div><br></div><div>* I believe "tcp.stream_depth_reached" gets incremented each time the "stream.reassembly.depth" is reached, but no packets are dropped here, they are passed to other processors for further inspection. Is this right?</div><div><br></div><div>* What does exactly "tcp.reassembly_gap" mean?</div><div><br></div><div>Thank you very much and merry christmas ;)</div><div><br></div><div>Regards,</div><div><br></div><div>Jose Vila.</div><div><br></div><div><font face="monospace, monospace">capture.kernel_packets    | RxPFRbond01               | 499299739<br></font></div><div><div><font face="monospace, monospace">capture.kernel_drops      | RxPFRbond01               | 19672447</font></div><div><font face="monospace, monospace">tcp.sessions              | RxPFRbond01               | 8563505</font></div><div><font face="monospace, monospace">tcp.ssn_memcap_drop       | RxPFRbond01               | 0</font></div><div><font face="monospace, monospace">tcp.pseudo                | RxPFRbond01               | 875207</font></div><div><font face="monospace, monospace">tcp.invalid_checksum      | RxPFRbond01               | 0</font></div><div><font face="monospace, monospace">tcp.no_flow               | RxPFRbond01               | 0</font></div><div><font face="monospace, monospace">tcp.reused_ssn            | RxPFRbond01               | 6062</font></div><div><font face="monospace, monospace">tcp.memuse                | RxPFRbond01               | 11549744</font></div><div><font face="monospace, monospace">tcp.syn                   | RxPFRbond01               | 9026381</font></div><div><font face="monospace, monospace">tcp.synack                | RxPFRbond01               | 4749788</font></div><div><font face="monospace, monospace">tcp.rst                   | RxPFRbond01               | 1851321</font></div><div><font face="monospace, monospace">tcp.segment_memcap_drop   | RxPFRbond01               | 25237344</font></div><div><font face="monospace, monospace">tcp.stream_depth_reached  | RxPFRbond01               | 1767</font></div><div><font face="monospace, monospace">tcp.reassembly_memuse     | RxPFRbond01               | 18446744073584737005</font></div><div><font face="monospace, monospace">tcp.reassembly_gap        | RxPFRbond01               | 1484974</font></div><div><font face="monospace, monospace">capture.kernel_packets    | RxPFRbond02               | 492433102</font></div><div><font face="monospace, monospace">capture.kernel_drops      | RxPFRbond02               | 40354598</font></div><div><font face="monospace, monospace">tcp.sessions              | RxPFRbond02               | 8399520</font></div><div><font face="monospace, monospace">tcp.ssn_memcap_drop       | RxPFRbond02               | 0</font></div><div><font face="monospace, monospace">tcp.pseudo                | RxPFRbond02               | 835717</font></div><div><font face="monospace, monospace">tcp.invalid_checksum      | RxPFRbond02               | 0</font></div><div><font face="monospace, monospace">tcp.no_flow               | RxPFRbond02               | 0</font></div><div><font face="monospace, monospace">tcp.reused_ssn            | RxPFRbond02               | 6986</font></div><div><font face="monospace, monospace">tcp.memuse                | RxPFRbond02               | 11428576</font></div><div><font face="monospace, monospace">tcp.syn                   | RxPFRbond02               | 8855093</font></div><div><font face="monospace, monospace">tcp.synack                | RxPFRbond02               | 4589567</font></div><div><font face="monospace, monospace">tcp.rst                   | RxPFRbond02               | 1785767</font></div><div><font face="monospace, monospace">tcp.segment_memcap_drop   | RxPFRbond02               | 24774361</font></div><div><font face="monospace, monospace">tcp.stream_depth_reached  | RxPFRbond02               | 1532</font></div><div><font face="monospace, monospace">tcp.reassembly_memuse     | RxPFRbond02               | 18446744073584737005</font></div><div><font face="monospace, monospace">tcp.reassembly_gap        | RxPFRbond02               | 1425344</font></div><div><font face="monospace, monospace">capture.kernel_packets    | RxPFRbond03               | 492419647</font></div><div><font face="monospace, monospace">capture.kernel_drops      | RxPFRbond03               | 42845268</font></div><div><font face="monospace, monospace">tcp.sessions              | RxPFRbond03               | 8385635</font></div><div><font face="monospace, monospace">tcp.ssn_memcap_drop       | RxPFRbond03               | 0</font></div><div><font face="monospace, monospace">tcp.pseudo                | RxPFRbond03               | 822302</font></div><div><font face="monospace, monospace">tcp.invalid_checksum      | RxPFRbond03               | 0</font></div><div><font face="monospace, monospace">tcp.no_flow               | RxPFRbond03               | 0</font></div><div><font face="monospace, monospace">tcp.reused_ssn            | RxPFRbond03               | 6046</font></div><div><font face="monospace, monospace">tcp.memuse                | RxPFRbond03               | 11537648</font></div><div><font face="monospace, monospace">tcp.syn                   | RxPFRbond03               | 8837803</font></div><div><font face="monospace, monospace">tcp.synack                | RxPFRbond03               | 4571846</font></div><div><font face="monospace, monospace">tcp.rst                   | RxPFRbond03               | 1773068</font></div><div><font face="monospace, monospace">tcp.segment_memcap_drop   | RxPFRbond03               | 25125565</font></div><div><font face="monospace, monospace">tcp.stream_depth_reached  | RxPFRbond03               | 1527</font></div><div><font face="monospace, monospace">tcp.reassembly_memuse     | RxPFRbond03               | 18446744073584737005</font></div><div><font face="monospace, monospace">tcp.reassembly_gap        | RxPFRbond03               | 1433148</font></div><div><font face="monospace, monospace">capture.kernel_packets    | RxPFRbond04               | 480476000</font></div><div><font face="monospace, monospace">capture.kernel_drops      | RxPFRbond04               | 33911729</font></div><div><font face="monospace, monospace">tcp.sessions              | RxPFRbond04               | 8445070</font></div><div><font face="monospace, monospace">tcp.ssn_memcap_drop       | RxPFRbond04               | 0</font></div><div><font face="monospace, monospace">tcp.pseudo                | RxPFRbond04               | 846767</font></div><div><font face="monospace, monospace">tcp.invalid_checksum      | RxPFRbond04               | 0</font></div><div><font face="monospace, monospace">tcp.no_flow               | RxPFRbond04               | 0</font></div><div><font face="monospace, monospace">tcp.reused_ssn            | RxPFRbond04               | 6037</font></div><div><font face="monospace, monospace">tcp.memuse                | RxPFRbond04               | 11420720</font></div><div><font face="monospace, monospace">tcp.syn                   | RxPFRbond04               | 8898042</font></div><div><font face="monospace, monospace">tcp.synack                | RxPFRbond04               | 4648242</font></div><div><font face="monospace, monospace">tcp.rst                   | RxPFRbond04               | 1810163</font></div><div><font face="monospace, monospace">tcp.segment_memcap_drop   | RxPFRbond04               | 24907905</font></div><div><font face="monospace, monospace">tcp.stream_depth_reached  | RxPFRbond04               | 1675</font></div><div><font face="monospace, monospace">tcp.reassembly_memuse     | RxPFRbond04               | 18446744073584737005</font></div><div><font face="monospace, monospace">tcp.reassembly_gap        | RxPFRbond04               | 1432792</font></div><div><font face="monospace, monospace">capture.kernel_packets    | RxPFRbond05               | 472165077</font></div><div><font face="monospace, monospace">capture.kernel_drops      | RxPFRbond05               | 19792478</font></div><div><font face="monospace, monospace">tcp.sessions              | RxPFRbond05               | 8584426</font></div><div><font face="monospace, monospace">tcp.ssn_memcap_drop       | RxPFRbond05               | 0</font></div><div><font face="monospace, monospace">tcp.pseudo                | RxPFRbond05               | 883513</font></div><div><font face="monospace, monospace">tcp.invalid_checksum      | RxPFRbond05               | 0</font></div><div><font face="monospace, monospace">tcp.no_flow               | RxPFRbond05               | 0</font></div><div><font face="monospace, monospace">tcp.reused_ssn            | RxPFRbond05               | 6273</font></div><div><font face="monospace, monospace">tcp.memuse                | RxPFRbond05               | 11500976</font></div><div><font face="monospace, monospace">tcp.syn                   | RxPFRbond05               | 9046229</font></div><div><font face="monospace, monospace">tcp.synack                | RxPFRbond05               | 4763061</font></div><div><font face="monospace, monospace">tcp.rst                   | RxPFRbond05               | 1853137</font></div><div><font face="monospace, monospace">tcp.segment_memcap_drop   | RxPFRbond05               | 24989622</font></div><div><font face="monospace, monospace">tcp.stream_depth_reached  | RxPFRbond05               | 1737</font></div><div><font face="monospace, monospace">tcp.reassembly_memuse     | RxPFRbond05               | 18446744073584737005</font></div><div><font face="monospace, monospace">tcp.reassembly_gap        | RxPFRbond05               | 1435203</font></div><div><font face="monospace, monospace">capture.kernel_packets    | RxPFRbond06               | 462382502</font></div><div><font face="monospace, monospace">capture.kernel_drops      | RxPFRbond06               | 34364858</font></div><div><font face="monospace, monospace">tcp.sessions              | RxPFRbond06               | 8449179</font></div><div><font face="monospace, monospace">tcp.ssn_memcap_drop       | RxPFRbond06               | 0</font></div><div><font face="monospace, monospace">tcp.pseudo                | RxPFRbond06               | 839632</font></div><div><font face="monospace, monospace">tcp.invalid_checksum      | RxPFRbond06               | 0</font></div><div><font face="monospace, monospace">tcp.no_flow               | RxPFRbond06               | 0</font></div><div><font face="monospace, monospace">tcp.reused_ssn            | RxPFRbond06               | 5880</font></div><div><font face="monospace, monospace">tcp.memuse                | RxPFRbond06               | 11420336</font></div><div><font face="monospace, monospace">tcp.syn                   | RxPFRbond06               | 8898974</font></div><div><font face="monospace, monospace">tcp.synack                | RxPFRbond06               | 4644933</font></div><div><font face="monospace, monospace">tcp.rst                   | RxPFRbond06               | 1801340</font></div><div><font face="monospace, monospace">tcp.segment_memcap_drop   | RxPFRbond06               | 25160551</font></div><div><font face="monospace, monospace">tcp.stream_depth_reached  | RxPFRbond06               | 1505</font></div><div><font face="monospace, monospace">tcp.reassembly_memuse     | RxPFRbond06               | 18446744073584737005</font></div><div><font face="monospace, monospace">tcp.reassembly_gap        | RxPFRbond06               | 1452496</font></div></div><div><br></div><div><br></div></div>