<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>I am trying to figure out where the packet loss is coming from on one of my Suricata 3.0 sensor.<div>The only thing that I see weird from stats.log is that tpc.stream_depth_reached and tcp.reassembly_gap is somewhat high.</div><div>I am using latest PF_RING and monitoring one interface with 4 threads.</div><div>4 logical CPUs with 16 gigs of RAM. 66% of RAM is used.</div><div><br></div><div>Here is stats.log info.</div><div><br></div><div>Thank you</div><div><br></div><div><div>capture.kernel_packets | RxPFRbond01 | 34118172</div><div>capture.kernel_drops | RxPFRbond01 | 2240130</div><div>decoder.pkts | RxPFRbond01 | 34125944</div><div>decoder.bytes | RxPFRbond01 | 26624108366</div><div>decoder.invalid | RxPFRbond01 | 0</div><div>decoder.ipv4 | RxPFRbond01 | 34707873</div><div>decoder.ipv6 | RxPFRbond01 | 570</div><div>decoder.ethernet | RxPFRbond01 | 34125944</div><div>decoder.raw | RxPFRbond01 | 0</div><div>decoder.null | RxPFRbond01 | 0</div><div>decoder.sll | RxPFRbond01 | 0</div><div>decoder.tcp | RxPFRbond01 | 23715873</div><div>decoder.udp | RxPFRbond01 | 9702569</div><div>decoder.sctp | RxPFRbond01 | 0</div><div>decoder.icmpv4 | RxPFRbond01 | 98456</div><div>decoder.icmpv6 | RxPFRbond01 | 0</div><div>decoder.ppp | RxPFRbond01 | 0</div><div>decoder.pppoe | RxPFRbond01 | 0</div><div>decoder.gre | RxPFRbond01 | 0</div><div>decoder.vlan | RxPFRbond01 | 0</div><div>decoder.vlan_qinq | RxPFRbond01 | 0</div><div>decoder.teredo | RxPFRbond01 | 570</div><div>decoder.ipv4_in_ipv6 | RxPFRbond01 | 0</div><div>decoder.ipv6_in_ipv6 | RxPFRbond01 | 0</div><div>decoder.mpls | RxPFRbond01 | 0</div><div>decoder.avg_pkt_size | RxPFRbond01 | 780</div><div>decoder.max_pkt_size | RxPFRbond01 | 1514</div><div>decoder.erspan | RxPFRbond01 | 0</div><div>flow.memcap | RxPFRbond01 | 0</div><div>defrag.ipv4.fragments | RxPFRbond01 | 1190975</div><div>defrag.ipv4.reassembled | RxPFRbond01 | 592903</div><div>defrag.ipv4.timeouts | RxPFRbond01 | 0</div><div>defrag.ipv6.fragments | RxPFRbond01 | 0</div><div>defrag.ipv6.reassembled | RxPFRbond01 | 0</div><div>defrag.ipv6.timeouts | RxPFRbond01 | 0</div><div>defrag.max_frag_hits | RxPFRbond01 | 0</div><div>tcp.sessions | RxPFRbond01 | 169101</div><div>tcp.ssn_memcap_drop | RxPFRbond01 | 0</div><div>tcp.pseudo | RxPFRbond01 | 77497</div><div>tcp.pseudo_failed | RxPFRbond01 | 0</div><div>tcp.invalid_checksum | RxPFRbond01 | 0</div><div>tcp.no_flow | RxPFRbond01 | 0</div><div>tcp.syn | RxPFRbond01 | 180407</div><div>tcp.synack | RxPFRbond01 | 146913</div><div>tcp.rst | RxPFRbond01 | 138896</div><div>tcp.segment_memcap_drop | RxPFRbond01 | 0</div><div>tcp.stream_depth_reached | RxPFRbond01 | 107</div><div>tcp.reassembly_gap | RxPFRbond01 | 6765</div><div>detect.alert | RxPFRbond01 | 3426</div><div>capture.kernel_packets | RxPFRbond02 | 33927252</div><div>capture.kernel_drops | RxPFRbond02 | 1246692</div><div>decoder.pkts | RxPFRbond02 | 33932611</div><div>decoder.bytes | RxPFRbond02 | 25571688366</div><div>decoder.invalid | RxPFRbond02 | 0</div><div>decoder.ipv4 | RxPFRbond02 | 34483004</div><div>decoder.ipv6 | RxPFRbond02 | 506</div><div>decoder.ethernet | RxPFRbond02 | 33932611</div><div>decoder.raw | RxPFRbond02 | 0</div><div>decoder.null | RxPFRbond02 | 0</div><div>decoder.sll | RxPFRbond02 | 0</div><div>decoder.tcp | RxPFRbond02 | 24665968</div><div>decoder.udp | RxPFRbond02 | 8600129</div><div>decoder.sctp | RxPFRbond02 | 0</div><div>decoder.icmpv4 | RxPFRbond02 | 113797</div><div>decoder.icmpv6 | RxPFRbond02 | 0</div><div>decoder.ppp | RxPFRbond02 | 0</div><div>decoder.pppoe | RxPFRbond02 | 0</div><div>decoder.gre | RxPFRbond02 | 0</div><div>decoder.vlan | RxPFRbond02 | 0</div><div>decoder.vlan_qinq | RxPFRbond02 | 0</div><div>decoder.teredo | RxPFRbond02 | 506</div><div>decoder.ipv4_in_ipv6 | RxPFRbond02 | 0</div><div>decoder.ipv6_in_ipv6 | RxPFRbond02 | 0</div><div>decoder.mpls | RxPFRbond02 | 0</div><div>decoder.avg_pkt_size | RxPFRbond02 | 753</div><div>decoder.max_pkt_size | RxPFRbond02 | 1514</div><div>decoder.erspan | RxPFRbond02 | 0</div><div>flow.memcap | RxPFRbond02 | 0</div><div>defrag.ipv4.fragments | RxPFRbond02 | 1103110</div><div>defrag.ipv4.reassembled | RxPFRbond02 | 550393</div><div>defrag.ipv4.timeouts | RxPFRbond02 | 0</div><div>defrag.ipv6.fragments | RxPFRbond02 | 0</div><div>defrag.ipv6.reassembled | RxPFRbond02 | 0</div><div>defrag.ipv6.timeouts | RxPFRbond02 | 0</div><div>defrag.max_frag_hits | RxPFRbond02 | 0</div><div>tcp.sessions | RxPFRbond02 | 172432</div><div>tcp.ssn_memcap_drop | RxPFRbond02 | 0</div><div>tcp.pseudo | RxPFRbond02 | 79224</div><div>tcp.pseudo_failed | RxPFRbond02 | 0</div><div>tcp.invalid_checksum | RxPFRbond02 | 0</div><div>tcp.no_flow | RxPFRbond02 | 0</div><div>tcp.syn | RxPFRbond02 | 183912</div><div>tcp.synack | RxPFRbond02 | 150219</div><div>tcp.rst | RxPFRbond02 | 143693</div><div>tcp.segment_memcap_drop | RxPFRbond02 | 0</div><div>tcp.stream_depth_reached | RxPFRbond02 | 105</div><div>tcp.reassembly_gap | RxPFRbond02 | 4710</div><div>detect.alert | RxPFRbond02 | 3469</div><div>capture.kernel_packets | RxPFRbond03 | 38750498</div><div>capture.kernel_drops | RxPFRbond03 | 1511800</div><div>decoder.pkts | RxPFRbond03 | 38762341</div><div>decoder.bytes | RxPFRbond03 | 32714534213</div><div>decoder.invalid | RxPFRbond03 | 0</div><div>decoder.ipv4 | RxPFRbond03 | 39299710</div><div>decoder.ipv6 | RxPFRbond03 | 512</div><div>decoder.ethernet | RxPFRbond03 | 38762341</div><div>decoder.raw | RxPFRbond03 | 0</div><div>decoder.null | RxPFRbond03 | 0</div><div>decoder.sll | RxPFRbond03 | 0</div><div>decoder.tcp | RxPFRbond03 | 21943466</div><div>decoder.udp | RxPFRbond03 | 15992492</div><div>decoder.sctp | RxPFRbond03 | 0</div><div>decoder.icmpv4 | RxPFRbond03 | 178089</div><div>decoder.icmpv6 | RxPFRbond03 | 0</div><div>decoder.ppp | RxPFRbond03 | 0</div><div>decoder.pppoe | RxPFRbond03 | 0</div><div>decoder.gre | RxPFRbond03 | 0</div><div>decoder.vlan | RxPFRbond03 | 0</div><div>decoder.vlan_qinq | RxPFRbond03 | 0</div><div>decoder.teredo | RxPFRbond03 | 512</div><div>decoder.ipv4_in_ipv6 | RxPFRbond03 | 0</div><div>decoder.ipv6_in_ipv6 | RxPFRbond03 | 0</div><div>decoder.mpls | RxPFRbond03 | 0</div><div>decoder.avg_pkt_size | RxPFRbond03 | 843</div><div>decoder.max_pkt_size | RxPFRbond03 | 1514</div><div>decoder.erspan | RxPFRbond03 | 0</div><div>flow.memcap | RxPFRbond03 | 0</div><div>defrag.ipv4.fragments | RxPFRbond03 | 1078454</div><div>defrag.ipv4.reassembled | RxPFRbond03 | 537369</div><div>defrag.ipv4.timeouts | RxPFRbond03 | 0</div><div>defrag.ipv6.fragments | RxPFRbond03 | 0</div><div>defrag.ipv6.reassembled | RxPFRbond03 | 0</div><div>defrag.ipv6.timeouts | RxPFRbond03 | 0</div><div>defrag.max_frag_hits | RxPFRbond03 | 0</div><div>tcp.sessions | RxPFRbond03 | 169832</div><div>tcp.ssn_memcap_drop | RxPFRbond03 | 0</div><div>tcp.pseudo | RxPFRbond03 | 78504</div><div>tcp.pseudo_failed | RxPFRbond03 | 0</div><div>tcp.invalid_checksum | RxPFRbond03 | 0</div><div>tcp.no_flow | RxPFRbond03 | 0</div><div>tcp.syn | RxPFRbond03 | 181453</div><div>tcp.synack | RxPFRbond03 | 147649</div><div>tcp.rst | RxPFRbond03 | 139792</div><div>tcp.segment_memcap_drop | RxPFRbond03 | 0</div><div>tcp.stream_depth_reached | RxPFRbond03 | 94</div><div>tcp.reassembly_gap | RxPFRbond03 | 2567</div><div>detect.alert | RxPFRbond03 | 3416</div><div>capture.kernel_packets | RxPFRbond04 | 63727760</div><div>capture.kernel_drops | RxPFRbond04 | 3046651</div><div>decoder.pkts | RxPFRbond04 | 63747722</div><div>decoder.bytes | RxPFRbond04 | 55373084583</div><div>decoder.invalid | RxPFRbond04 | 0</div><div>decoder.ipv4 | RxPFRbond04 | 64056225</div><div>decoder.ipv6 | RxPFRbond04 | 487</div><div>decoder.ethernet | RxPFRbond04 | 63747722</div><div>decoder.raw | RxPFRbond04 | 0</div><div>decoder.null | RxPFRbond04 | 0</div><div>decoder.sll | RxPFRbond04 | 0</div><div>decoder.tcp | RxPFRbond04 | 55855784</div><div>decoder.udp | RxPFRbond04 | 7447497</div><div>decoder.sctp | RxPFRbond04 | 0</div><div>decoder.icmpv4 | RxPFRbond04 | 133539</div><div>decoder.icmpv6 | RxPFRbond04 | 0</div><div>decoder.ppp | RxPFRbond04 | 0</div><div>decoder.pppoe | RxPFRbond04 | 0</div><div>decoder.gre | RxPFRbond04 | 0</div><div>decoder.vlan | RxPFRbond04 | 0</div><div>decoder.vlan_qinq | RxPFRbond04 | 0</div><div>decoder.teredo | RxPFRbond04 | 487</div><div>decoder.ipv4_in_ipv6 | RxPFRbond04 | 0</div><div>decoder.ipv6_in_ipv6 | RxPFRbond04 | 0</div><div>decoder.mpls | RxPFRbond04 | 0</div><div>decoder.avg_pkt_size | RxPFRbond04 | 868</div><div>decoder.max_pkt_size | RxPFRbond04 | 1514</div><div>decoder.erspan | RxPFRbond04 | 0</div><div>flow.memcap | RxPFRbond04 | 0</div><div>defrag.ipv4.fragments | RxPFRbond04 | 619405</div><div>defrag.ipv4.reassembled | RxPFRbond04 | 308503</div><div>defrag.ipv4.timeouts | RxPFRbond04 | 0</div><div>defrag.ipv6.fragments | RxPFRbond04 | 0</div><div>defrag.ipv6.reassembled | RxPFRbond04 | 0</div><div>defrag.ipv6.timeouts | RxPFRbond04 | 0</div><div>defrag.max_frag_hits | RxPFRbond04 | 0</div><div>tcp.sessions | RxPFRbond04 | 171368</div><div>tcp.ssn_memcap_drop | RxPFRbond04 | 0</div><div>tcp.pseudo | RxPFRbond04 | 78609</div><div>tcp.pseudo_failed | RxPFRbond04 | 0</div><div>tcp.invalid_checksum | RxPFRbond04 | 0</div><div>tcp.no_flow | RxPFRbond04 | 0</div><div>tcp.syn | RxPFRbond04 | 182409</div><div>tcp.synack | RxPFRbond04 | 149124</div><div>tcp.rst | RxPFRbond04 | 143473</div><div>tcp.segment_memcap_drop | RxPFRbond04 | 0</div><div>tcp.stream_depth_reached | RxPFRbond04 | 82</div><div>tcp.reassembly_gap | RxPFRbond04 | 35459</div><div>detect.alert | RxPFRbond04 | 3770</div><div>flow_mgr.closed_pruned | FlowManagerThread | 310602</div><div>flow_mgr.new_pruned | FlowManagerThread | 549722</div><div>flow_mgr.est_pruned | FlowManagerThread | 380334</div><div>flow.spare | FlowManagerThread | 799999</div><div>flow.emerg_mode_entered | FlowManagerThread | 0</div><div>flow.emerg_mode_over | FlowManagerThread | 0</div><div>flow.tcp_reuse | FlowManagerThread | 237</div><div>flow_mgr.closed_pruned | FlowManagerThread | 308878</div><div>flow_mgr.new_pruned | FlowManagerThread | 544586</div><div>flow_mgr.est_pruned | FlowManagerThread | 379393</div><div>flow.spare | FlowManagerThread | 799402</div><div>flow.emerg_mode_entered | FlowManagerThread | 0</div><div>flow.emerg_mode_over | FlowManagerThread | 0</div><div>flow.tcp_reuse | FlowManagerThread | 252</div><div>tcp.memuse | Global | 439248976</div><div>tcp.reassembly_memuse | Global | 1717630000</div><div>dns.memuse | Global | 476478</div><div>dns.memcap_state | Global | 0</div><div>dns.memcap_global | Global | 0</div><div>http.memuse | Global | 536216</div><div>http.memcap | Global | 0</div><div>flow.memuse | Global | 237040288</div></div><div><br></div> </div></body>
</html>