[Oisf-users] memcap_drop in stats.log

Fernando Ortiz fernando.ortiz.f at gmail.com
Mon Aug 1 21:10:32 UTC 2011


I once asked something similar:
http://lists.openinfosecfoundation.org/pipermail/oisf-users/2011-June/000658.html

Just for curiosity. What is your maximum consumption of RAM while running
suricata?


2011/8/1 Gene Albin <gene.albin at gmail.com>

> So it looks like increasing the stream and flow memcap variables to 1 and 2
> GB seems to have fixed the segment_memcap_drop numbers:
>
> tcp.sessions              | Decode & Stream           | 62179
>  tcp.ssn_memcap_drop       | Decode & Stream           | 0
> tcp.pseudo                | Decode & Stream           | 10873
> tcp.segment_memcap_drop   | Decode & Stream           | 0
> tcp.stream_depth_reached  | Decode & Stream           | 347
> detect.alert              | Detect                    | 715
>
> But according to (ReceivePcapThreadExitStats) I'm still losing about 20% of
> my packets.  Any ideas on why this may be?  Below is a cut from the
> suricata.log file showing the packet drops after I increased the memcap
> values.
>
> Increased Flow memcap from 32MB to 1GB
> No change:
>
> [11736] 1/8/2011 -- 13:27:07 - (source-pcap.c:561) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 1784959, bytes
> 1318154313
> [11736] 1/8/2011 -- 13:27:07 - (source-pcap.c:569) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:3865595
> Recv:2825319 Drop:1040276 (26.9%).
>
> Increased Stream memcap from 32MB to 1GB
> Increased Stream reassembly memcap from 64MB to 2GB
> No change:
>
> [11955] 1/8/2011 -- 13:34:38 - (source-pcap.c:561) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 2906643, bytes
> 1977212962
> [11955] 1/8/2011 -- 13:34:38 - (source-pcap.c:569) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:5634300
> Recv:4270513 Drop:1363787 (24.2%).
>
> Gene
>
>
> On Fri, Jul 29, 2011 at 8:17 PM, Gene Albin <gene.albin at gmail.com> wrote:
>
>> What causes the tcp.segment_memcap_drop and the tcp.ssn_memcap_drop
>> counters to increment in the stats.log file?  I haven't found much of a
>> description or suggestions on what I can do to reduce the number.  Here is a
>> cut from my stats.log file:
>>
>> tcp.sessions              | Decode & Stream           | 569818
>> tcp.ssn_memcap_drop       | Decode & Stream           | 0
>> tcp.pseudo                | Decode & Stream           | 94588
>> tcp.segment_memcap_drop   | Decode & Stream           | 11204200
>> tcp.stream_depth_reached  | Decode & Stream           | 14
>> detect.alert              | Detect                    | 13239
>>
>> Thanks for any suggestions.
>>
>> Gene
>>
>> --
>> Gene Albin
>> gene.albin at gmail.com
>>
>>
>
>
> --
> Gene Albin
> gene.albin at gmail.com
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110801/8db27bec/attachment-0002.html>


More information about the Oisf-users mailing list