[Oisf-users] Suricata and tcp.reassembly_gap
Peter Bates
peter.bates at ucl.ac.uk
Sat Jun 30 12:31:11 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all
Back again with more questions.
I'm testing the latest Suricata from GIT (I'm presuming it is mostly
the same as 1.3rc1).
Debian 6, using AF_PACKET (although I also built with PF_RING)
on a box with e1000e NIC and a Gigabit link which is only seeing
around 75Mbits/sec (according to pfcount).
Date: 6/30/2012 -- 13:27:11 (uptime: 0d, 00h 04m 06s)
tcp.reassembly_gap | Detect | 1887
detect.alert | Detect | 3
capture.kernel_drops | RxAFP1 | 0
Date: 6/30/2012 -- 13:27:18 (uptime: 0d, 00h 04m 13s)
tcp.reassembly_gap | Detect | 2001
detect.alert | Detect | 3
capture.kernel_drops | RxAFP1 | 0
[24168] 30/6/2012 -- 13:23:05 - (source-af-packet.c:850) <Info>
(AFPCreateSocket) -- Setting AF_PACKET socket buffer to 724280
[24167] 30/6/2012 -- 13:23:05 - (tm-threads.c:1973) <Info>
(TmThreadWaitOnThreadInit) -- all 4 packet processing threads, 3
management threads initialized, engine started.
Will increasing the AF_PACKET buffer see my reassembly_gaps
decrease/disappear?
- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP7vGPAAoJELhVoVpEMS6R7GQH/0AbPaiA2iNvHsc6W0kneRrM
qE3wOa+143QMUU2gqA1lLx7d1CtAyAgyoHHb8Bs1qrqDqoHqtDPOHLxm1txzFK55
MQPBXT63UGcRTGLDC/y8i7za3/bb9KV3SyPAnSfiUiksc8fAS1fB85KreLT8DOhj
HozvIcQc1QUufMV1abWams2NeVzjf2CzF5jkRZdWgYVLHx+R1FNOSIDqsf4z955Z
GCkQ5kGPz0dP+MG5VFqNEvlQ3rpVBBhapeFlBdSYWbedBfs6K9/OhDQOYuoK5K8T
1iHHEPGUTv3w8sYkDxjX57LoSWWdKlyDDaeJQB71mXX6ZOI6UzzcBfkfpHxPpLs=
=Rryy
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list