[Oisf-users] My missing packets are back !

[Travel Factory S.r.l.]

Now I have my missing packets back.

New linux with 2.6.38 kernel, suricata 1.2.1, e1000e lan card, 
starting from clean yaml file with all rules removed but my own...

Started suricata with:
suricata -c /etc/suricata/suricata.yaml --af-packet=eth4 
--runmode=autofp


stats.log reports:
Date: 2/23/2012 -- 16:51:35 (uptime: 0d, 01h 11m 04s)
tcp.memuse                | Detect                    | 
237072960.000000
tcp.segment_memcap_drop   | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 
12458622240.000000
flow.memuse               | FlowManagerThread         | 
27841936.000000



The reassembly_memuse counter keeps adding, sometimes it lowers a 
bit...

Changes applied are (please tell me which one are not important)
-#max-pending-packets: 50
+max-pending-packets: 5000

-#default-packet-size: 1514
+default-packet-size: 15140

-    cluster-type: cluster_round_robin
+    cluster-type: cluster_flow

  stream:
-  memcap: 32mb
+  memcap: 2048mb

    reassembly:
-    memcap: 64mb
+    memcap: 2048mb

(and rules removed)

I also run the tuning network kernel parameters I found in the mailing 
list..

Now, after more than one hour, I have 0 packet missed in suricata and 
all my test rule are triggered correctly !

Tomorrow I will try the PF_RING road...

Thank everybody for your help.

Francesco