[Oisf-users] Suricata and tcp.reassembly_gap
Peter Bates
peter.bates at ucl.ac.uk
Sat Jun 30 12:58:14 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello again all
On 30/06/2012 13:31, Peter Bates wrote:
> Will increasing the AF_PACKET buffer see my reassembly_gaps
> decrease/disappear?
Okay, so I increased the AF_PACKET buffer to 1Gb and I'd forgotten
about the checksum/NIC settings as mentioned at
http://securityonion.blogspot.co.uk/2011/10/when-is-full-packet-capture-not-full.html
Things are looking healthier:
Date: 6/30/2012 -- 13:57:18 (uptime: 0d, 00h 12m 00s)
tcp.reassembly_gap | Detect | 11
detect.alert | Detect | 0
capture.kernel_packets | RxAFP1 | 6628005
capture.kernel_drops | RxAFP1 | 1186
- --
Peter Bates
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP7vfmAAoJELhVoVpEMS6R8e8H/iGAjvLYIw2B7cWR+Etuf0cB
D4Qlt2ME/au2w0RFxqjA6HSD5BRh+gSJwsQwVBOp5rYqeaJrz9qkB6QXSd4RxF73
H4/jg9pACZFeuLanmu5nY1I7cqbbufuz22ZB2izy782mYEF3M1cIMuI2ZYSBzQWM
iKLk44McwtDSLzQjsxia8vuB+JLeNy8i1yjdhJjJ+wKZJBMK/5TElxIzSwnDrnqO
vrXc3aPL9mo4MjmdWob61mQob6b7cnCnK3d3oL9mEtwAe38AEKjbiZ0fTLp0e1Ud
zF6ZKV7YghFZJS3+/DEHIyGzUw71s/9IMx+8M+L618iuhOspKagvIZ2urzvfl0o=
=GdU9
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list