[Oisf-users] memcap_drop in stats.log

Gene Albin gene.albin at gmail.com
Mon Aug 1 20:59:58 UTC 2011 

So it looks like increasing the stream and flow memcap variables to 1 and 2
GB seems to have fixed the segment_memcap_drop numbers:

tcp.sessions              | Decode & Stream           | 62179
tcp.ssn_memcap_drop       | Decode & Stream           | 0
tcp.pseudo                | Decode & Stream           | 10873
tcp.segment_memcap_drop   | Decode & Stream           | 0
tcp.stream_depth_reached  | Decode & Stream           | 347
detect.alert              | Detect                    | 715

But according to (ReceivePcapThreadExitStats) I'm still losing about 20% of
my packets.  Any ideas on why this may be?  Below is a cut from the
suricata.log file showing the packet drops after I increased the memcap
values.

Increased Flow memcap from 32MB to 1GB
No change:

[11736] 1/8/2011 -- 13:27:07 - (source-pcap.c:561) <Info>
(ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 1784959, bytes
1318154313
[11736] 1/8/2011 -- 13:27:07 - (source-pcap.c:569) <Info>
(ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:3865595
Recv:2825319 Drop:1040276 (26.9%).

Increased Stream memcap from 32MB to 1GB
Increased Stream reassembly memcap from 64MB to 2GB
No change:

[11955] 1/8/2011 -- 13:34:38 - (source-pcap.c:561) <Info>
(ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 2906643, bytes
1977212962
[11955] 1/8/2011 -- 13:34:38 - (source-pcap.c:569) <Info>
(ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:5634300
Recv:4270513 Drop:1363787 (24.2%).

Gene


On Fri, Jul 29, 2011 at 8:17 PM, Gene Albin <gene.albin at gmail.com> wrote:

> What causes the tcp.segment_memcap_drop and the tcp.ssn_memcap_drop
> counters to increment in the stats.log file?  I haven't found much of a
> description or suggestions on what I can do to reduce the number.  Here is a
> cut from my stats.log file:
>
> tcp.sessions              | Decode & Stream           | 569818
> tcp.ssn_memcap_drop       | Decode & Stream           | 0
> tcp.pseudo                | Decode & Stream           | 94588
> tcp.segment_memcap_drop   | Decode & Stream           | 11204200
> tcp.stream_depth_reached  | Decode & Stream           | 14
> detect.alert              | Detect                    | 13239
>
> Thanks for any suggestions.
>
> Gene
>
> --
> Gene Albin
> gene.albin at gmail.com
>
>


-- 
Gene Albin
gene.albin at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110801/4026b7cc/attachment-0002.html>

More information about the Oisf-users mailing list