[Oisf-users] Percentage of dropped packets
Victor Julien
victor at inliniac.net
Tue May 29 15:15:11 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/29/2012 05:03 PM, Peter Bates wrote:
> Being reasonably used to the Snort perfmonitor output, I'm trying
> to understand which line in stats.log might refer to dropped
> packets.
>
> Suricata is (when foregrounded) saying things like:
>
> [5535] 29/5/2012 -- 15:56:04 - (flow-manager.c:510) <Info>
> (FlowManagerThread) -- Flow emergency mode over, back to normal...
> unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1338303363,
> ts.tv_usec:940223) flow_spare_q status(): 1062% flows at the queue
>
> And in stats.log I'm seeing:
>
> Date: 5/29/2012 -- 15:56:33 (uptime: 0d, 01h 31m 23s)
> -------------------------------------------------------------------
>
>
Counter | TM Name | Value
> -------------------------------------------------------------------
>
>
flow_mgr.closed_pruned | FlowManagerThread | 10540043
> flow_mgr.new_pruned | FlowManagerThread | 4116068
> flow_mgr.est_pruned | FlowManagerThread | 200991
> flow.memuse | FlowManagerThread | 30501404
> flow.spare | FlowManagerThread | 10233
> flow.emerg_mode_entered | FlowManagerThread | 118
> flow.emerg_mode_over | FlowManagerThread | 118
It's probably wise to increase your flow.memcap. Flow engine ran out
of memory 118 times here.
> decoder.pkts | AFPacketeth61 | 179519552
> decoder.bytes | AFPacketeth61 |
> 142002380276 decoder.ipv4 | AFPacketeth61
> | 179554718 decoder.ipv6 | AFPacketeth61 |
> 379469 decoder.ethernet | AFPacketeth61 |
> 179519552 decoder.raw | AFPacketeth61 |
> 0 decoder.sll | AFPacketeth61 | 0
> decoder.tcp | AFPacketeth61 | 151975697
> decoder.udp | AFPacketeth61 | 26584288
> decoder.sctp | AFPacketeth61 | 0
> decoder.icmpv4 | AFPacketeth61 | 88177
> decoder.icmpv6 | AFPacketeth61 | 21233
> decoder.ppp | AFPacketeth61 | 406824
> decoder.pppoe | AFPacketeth61 | 0
> decoder.gre | AFPacketeth61 | 406843
> decoder.vlan | AFPacketeth61 | 0
> decoder.avg_pkt_size | AFPacketeth61 | 791
> decoder.max_pkt_size | AFPacketeth61 | 1514
> defrag.ipv4.fragments | AFPacketeth61 | 375839
> defrag.ipv4.reassembled | AFPacketeth61 | 35789
> defrag.ipv4.timeouts | AFPacketeth61 | 0
> defrag.ipv6.fragments | AFPacketeth61 | 35
> defrag.ipv6.reassembled | AFPacketeth61 | 0
> defrag.ipv6.timeouts | AFPacketeth61 | 0
> tcp.sessions | AFPacketeth61 | 1809706
> tcp.ssn_memcap_drop | AFPacketeth61 | 0
> tcp.pseudo | AFPacketeth61 | 216
> tcp.invalid_checksum | AFPacketeth61 | 42560
Invalid checksums can be caused by checksum offloading on your nic.
> tcp.no_flow | AFPacketeth61 | 0
> tcp.reused_ssn | AFPacketeth61 | 67
> tcp.memuse | AFPacketeth61 | 4325376
> tcp.syn | AFPacketeth61 | 1878430
> tcp.synack | AFPacketeth61 | 1295929
> tcp.rst | AFPacketeth61 | 405377
> tcp.segment_memcap_drop | AFPacketeth61 | 0
If this starts incrementing you should increase the
stream.reassembly.memcap limit.
> tcp.stream_depth_reached | AFPacketeth61 | 1
> tcp.reassembly_memuse | AFPacketeth61 | 15422350
> tcp.reassembly_gap | AFPacketeth61 | 4894
This is an indicator for packet loss. It indicates missing packets in
TCP streams. It is possible that it's caused by the invalid checksums
above as well though.
> detect.alert | AFPacketeth61 | 630
>
> Both values with 'drop' in their name are 0, is there a reported
> value in this list that corresponds to 'packets dropped'?
These "drops" only relate to the memcap settings for stream and
stream.reassembly. No relation with pkt loss.
- --
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/E5/8ACgkQiSMBBAuniMeWvACfaJggblhHTVaL9nw9jTtoJYX1
nVQAn1HlgmL2e1oBB1GxxhUSZwqY5Usu
=wTze
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list