[Oisf-users] Percentage of dropped packets

Victor Julien victor at inliniac.net
Tue May 29 15:15:11 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/29/2012 05:03 PM, Peter Bates wrote:
> Being reasonably used to the Snort perfmonitor output, I'm trying
> to understand which line in stats.log might refer to dropped
> packets.
> 
> Suricata is (when foregrounded) saying things like:
> 
> [5535] 29/5/2012 -- 15:56:04 - (flow-manager.c:510) <Info> 
> (FlowManagerThread) -- Flow emergency mode over, back to normal... 
> unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1338303363, 
> ts.tv_usec:940223) flow_spare_q status(): 1062% flows at the queue
> 
> And in stats.log I'm seeing:
> 
> Date: 5/29/2012 -- 15:56:33 (uptime: 0d, 01h 31m 23s) 
> -------------------------------------------------------------------
>
> 
Counter                   | TM Name                   | Value
> -------------------------------------------------------------------
>
> 
flow_mgr.closed_pruned    | FlowManagerThread         | 10540043
> flow_mgr.new_pruned       | FlowManagerThread         | 4116068 
> flow_mgr.est_pruned       | FlowManagerThread         | 200991 
> flow.memuse               | FlowManagerThread         | 30501404 
> flow.spare                | FlowManagerThread         | 10233 
> flow.emerg_mode_entered   | FlowManagerThread         | 118 
> flow.emerg_mode_over      | FlowManagerThread         | 118

It's probably wise to increase your flow.memcap. Flow engine ran out
of memory 118 times here.

> decoder.pkts              | AFPacketeth61             | 179519552 
> decoder.bytes             | AFPacketeth61             |
> 142002380276 decoder.ipv4              | AFPacketeth61
> | 179554718 decoder.ipv6              | AFPacketeth61             |
> 379469 decoder.ethernet          | AFPacketeth61             |
> 179519552 decoder.raw               | AFPacketeth61             |
> 0 decoder.sll               | AFPacketeth61             | 0 
> decoder.tcp               | AFPacketeth61             | 151975697 
> decoder.udp               | AFPacketeth61             | 26584288 
> decoder.sctp              | AFPacketeth61             | 0 
> decoder.icmpv4            | AFPacketeth61             | 88177 
> decoder.icmpv6            | AFPacketeth61             | 21233 
> decoder.ppp               | AFPacketeth61             | 406824 
> decoder.pppoe             | AFPacketeth61             | 0 
> decoder.gre               | AFPacketeth61             | 406843 
> decoder.vlan              | AFPacketeth61             | 0 
> decoder.avg_pkt_size      | AFPacketeth61             | 791 
> decoder.max_pkt_size      | AFPacketeth61             | 1514 
> defrag.ipv4.fragments     | AFPacketeth61             | 375839 
> defrag.ipv4.reassembled   | AFPacketeth61             | 35789 
> defrag.ipv4.timeouts      | AFPacketeth61             | 0 
> defrag.ipv6.fragments     | AFPacketeth61             | 35 
> defrag.ipv6.reassembled   | AFPacketeth61             | 0 
> defrag.ipv6.timeouts      | AFPacketeth61             | 0 
> tcp.sessions              | AFPacketeth61             | 1809706 
> tcp.ssn_memcap_drop       | AFPacketeth61             | 0 
> tcp.pseudo                | AFPacketeth61             | 216 
> tcp.invalid_checksum      | AFPacketeth61             | 42560

Invalid checksums can be caused by checksum offloading on your nic.

> tcp.no_flow               | AFPacketeth61             | 0 
> tcp.reused_ssn            | AFPacketeth61             | 67 
> tcp.memuse                | AFPacketeth61             | 4325376 
> tcp.syn                   | AFPacketeth61             | 1878430 
> tcp.synack                | AFPacketeth61             | 1295929 
> tcp.rst                   | AFPacketeth61             | 405377 
> tcp.segment_memcap_drop   | AFPacketeth61             | 0

If this starts incrementing you should increase the
stream.reassembly.memcap limit.

> tcp.stream_depth_reached  | AFPacketeth61             | 1 
> tcp.reassembly_memuse     | AFPacketeth61             | 15422350 
> tcp.reassembly_gap        | AFPacketeth61             | 4894

This is an indicator for packet loss. It indicates missing packets in
TCP streams. It is possible that it's caused by the invalid checksums
above as well though.

> detect.alert              | AFPacketeth61             | 630
> 
> Both values with 'drop' in their name are 0, is there a reported
> value in this list that corresponds to 'packets dropped'?

These "drops" only relate to the memcap settings for stream and
stream.reassembly. No relation with pkt loss.

- -- 
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/E5/8ACgkQiSMBBAuniMeWvACfaJggblhHTVaL9nw9jTtoJYX1
nVQAn1HlgmL2e1oBB1GxxhUSZwqY5Usu
=wTze
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list