[Oisf-users] memcap_drop in stats.log
Victor Julien
victor at inliniac.net
Tue Aug 23 15:27:43 UTC 2011
On 08/01/2011 10:59 PM, Gene Albin wrote:
> So it looks like increasing the stream and flow memcap variables to 1 and 2
> GB seems to have fixed the segment_memcap_drop numbers:
>
> tcp.sessions | Decode & Stream | 62179
> tcp.ssn_memcap_drop | Decode & Stream | 0
> tcp.pseudo | Decode & Stream | 10873
> tcp.segment_memcap_drop | Decode & Stream | 0
> tcp.stream_depth_reached | Decode & Stream | 347
> detect.alert | Detect | 715
>
> But according to (ReceivePcapThreadExitStats) I'm still losing about 20% of
> my packets. Any ideas on why this may be? Below is a cut from the
> suricata.log file showing the packet drops after I increased the memcap
> values.
The packet drop stats from pcap and the memcap drop stats are unrelated.
The memcap drop stats represent segments / sessions that are not
processed by the stream engine because it's memory limit is reached.
Packets are still inspected individually but stream / app layer
inspection will be impaired.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list