[Oisf-users] tcp.segment_memcap_drop
Peter Manev
petermanev at gmail.com
Thu Jun 26 07:19:21 UTC 2014
On Wed, Jun 25, 2014 at 3:37 PM, Kurzawa, Kevin
<kkurzawa at co.pinellas.fl.us> wrote:
> Using pcap because ... well, I don't know any better? I guess I don't really know the alternatives. PF Ring is the other option right?
There is pcap, pf_ring and af_packet.
af_packet works "out of the box", just make sure your kernel is not
older than 3.2.
runmode: workers seems to be the best option for af_packet.
For pf_ring you need to compile and make a module, also make sure your
kernel is not older than 3.0 (2.6.32 being the bare minimum)
runmode: workers seems to be the best option for pf_ring as well.
Our wiki provides some guidance -
https://redmine.openinfosecfoundation.org/projects/suricata/wiki
and then there are a number of articles on the net and on our user
mail list archives regarding high perf tuning.
>
> Is this the potential source of the tcp.reassembly_gap?
No
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list