[Oisf-users] where are my missing packets ?

[Travel Factory S.r.l.]

> To make these go away, increase your stream.reassembly.memcap value. 
>I
> think you have it set to 512mb or so:
> 
> tcp.reassembly_memuse     | Decode & Stream           | 536870870
> 
> You could try doubling it.

I chenged the values, made some tests that failed then I pasted here 
the values so that you could check... I then realized that I - I don't 
remember why - set inline: yes

stream:
   memcap: 640mb
   checksum_validation: no       # reject wrong csums
   inline: yes                    # no inline mode
   reassembly:
     memcap: 2048mb
     depth: 50mb                  # reassemble 1mb into a stream
     toserver_chunk_size: 2560
     toclient_chunk_size: 2560



I then set inline: no and I now have
tcp.segment_memcap_drop   | Detect                    | 0


with inline: yes I had this in stats.log after about 1:30:
tcp.segment_memcap_drop   | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 
38468978961.000000
---
tcp.segment_memcap_drop   | Detect                    | 17583
tcp.reassembly_memuse     | Detect                    | 
38654704962.000000
---
tcp.segment_memcap_drop   | Detect                    | 29346
tcp.reassembly_memuse     | Detect                    | 
38654704962.000000

When tcp.reassembly_memuse topped at 38654704962 suricata started to 
lose packets.

Now, with inline: no, after 10 minutes I have:
tcp.segment_memcap_drop   | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 
15080209344.000000
growing slowing...

So, it seems that I'm actually not losing packets... I will it run 
until memuse values reaches 38.....