[Oisf-users] memcap_drop in stats.log
Fernando Ortiz
fernando.ortiz.f at gmail.com
Mon Aug 1 21:10:32 UTC 2011
I once asked something similar:
http://lists.openinfosecfoundation.org/pipermail/oisf-users/2011-June/000658.html
Just for curiosity. What is your maximum consumption of RAM while running
suricata?
2011/8/1 Gene Albin <gene.albin at gmail.com>
> So it looks like increasing the stream and flow memcap variables to 1 and 2
> GB seems to have fixed the segment_memcap_drop numbers:
>
> tcp.sessions | Decode & Stream | 62179
> tcp.ssn_memcap_drop | Decode & Stream | 0
> tcp.pseudo | Decode & Stream | 10873
> tcp.segment_memcap_drop | Decode & Stream | 0
> tcp.stream_depth_reached | Decode & Stream | 347
> detect.alert | Detect | 715
>
> But according to (ReceivePcapThreadExitStats) I'm still losing about 20% of
> my packets. Any ideas on why this may be? Below is a cut from the
> suricata.log file showing the packet drops after I increased the memcap
> values.
>
> Increased Flow memcap from 32MB to 1GB
> No change:
>
> [11736] 1/8/2011 -- 13:27:07 - (source-pcap.c:561) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 1784959, bytes
> 1318154313
> [11736] 1/8/2011 -- 13:27:07 - (source-pcap.c:569) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:3865595
> Recv:2825319 Drop:1040276 (26.9%).
>
> Increased Stream memcap from 32MB to 1GB
> Increased Stream reassembly memcap from 64MB to 2GB
> No change:
>
> [11955] 1/8/2011 -- 13:34:38 - (source-pcap.c:561) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 2906643, bytes
> 1977212962
> [11955] 1/8/2011 -- 13:34:38 - (source-pcap.c:569) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:5634300
> Recv:4270513 Drop:1363787 (24.2%).
>
> Gene
>
>
> On Fri, Jul 29, 2011 at 8:17 PM, Gene Albin <gene.albin at gmail.com> wrote:
>
>> What causes the tcp.segment_memcap_drop and the tcp.ssn_memcap_drop
>> counters to increment in the stats.log file? I haven't found much of a
>> description or suggestions on what I can do to reduce the number. Here is a
>> cut from my stats.log file:
>>
>> tcp.sessions | Decode & Stream | 569818
>> tcp.ssn_memcap_drop | Decode & Stream | 0
>> tcp.pseudo | Decode & Stream | 94588
>> tcp.segment_memcap_drop | Decode & Stream | 11204200
>> tcp.stream_depth_reached | Decode & Stream | 14
>> detect.alert | Detect | 13239
>>
>> Thanks for any suggestions.
>>
>> Gene
>>
>> --
>> Gene Albin
>> gene.albin at gmail.com
>>
>>
>
>
> --
> Gene Albin
> gene.albin at gmail.com
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110801/8db27bec/attachment-0002.html>
More information about the Oisf-users
mailing list