[Oisf-users] Questions about stats and packet drops
Jose Vila
jovimon at gmail.com
Wed Dec 24 08:37:56 UTC 2014
Hi,
I'm playing around with Suricata, and want to reduce the number of drops.
I have 1000Mbits/s traffic and a server with 12 cores and 12GB of RAM. The
objective of this sensor is to get HTTP and DNS logging and it only has a
bunch of very simple rules for file extraction.
I'm using PF_RING, and recently switched to "workers" runmode, which
reduced my packer drop rate (capture.kernel_drop statistic) to around 5-6%
with 6 worker threads.
My memcaps are:
defrag.memcap = 32mb
flow.memcap = 256mb
stream.memcap = 7gb
stream.reassembly.memcap = 3gb
stream.reassembly.depth = 8mb
Below there's an excerpt of my latest stats.
I have some questions:
* What does exactly "tcp.reassembly_memuse" mean and in which units it is
measured? If it's measured in bytes the value means more than 18 Exabytes
!!!
* I believe "tcp.segment_memcap_drop" means packets received by suricata
(thus counted in "capture.kernel_packets" but couldn't get to the (stream
or reassembly?) processor for further treatment. Which processor is the
right one? How can I reduce its value?
* I believe "tcp.stream_depth_reached" gets incremented each time the
"stream.reassembly.depth" is reached, but no packets are dropped here, they
are passed to other processors for further inspection. Is this right?
* What does exactly "tcp.reassembly_gap" mean?
Thank you very much and merry christmas ;)
Regards,
Jose Vila.
capture.kernel_packets | RxPFRbond01 | 499299739
capture.kernel_drops | RxPFRbond01 | 19672447
tcp.sessions | RxPFRbond01 | 8563505
tcp.ssn_memcap_drop | RxPFRbond01 | 0
tcp.pseudo | RxPFRbond01 | 875207
tcp.invalid_checksum | RxPFRbond01 | 0
tcp.no_flow | RxPFRbond01 | 0
tcp.reused_ssn | RxPFRbond01 | 6062
tcp.memuse | RxPFRbond01 | 11549744
tcp.syn | RxPFRbond01 | 9026381
tcp.synack | RxPFRbond01 | 4749788
tcp.rst | RxPFRbond01 | 1851321
tcp.segment_memcap_drop | RxPFRbond01 | 25237344
tcp.stream_depth_reached | RxPFRbond01 | 1767
tcp.reassembly_memuse | RxPFRbond01 | 18446744073584737005
tcp.reassembly_gap | RxPFRbond01 | 1484974
capture.kernel_packets | RxPFRbond02 | 492433102
capture.kernel_drops | RxPFRbond02 | 40354598
tcp.sessions | RxPFRbond02 | 8399520
tcp.ssn_memcap_drop | RxPFRbond02 | 0
tcp.pseudo | RxPFRbond02 | 835717
tcp.invalid_checksum | RxPFRbond02 | 0
tcp.no_flow | RxPFRbond02 | 0
tcp.reused_ssn | RxPFRbond02 | 6986
tcp.memuse | RxPFRbond02 | 11428576
tcp.syn | RxPFRbond02 | 8855093
tcp.synack | RxPFRbond02 | 4589567
tcp.rst | RxPFRbond02 | 1785767
tcp.segment_memcap_drop | RxPFRbond02 | 24774361
tcp.stream_depth_reached | RxPFRbond02 | 1532
tcp.reassembly_memuse | RxPFRbond02 | 18446744073584737005
tcp.reassembly_gap | RxPFRbond02 | 1425344
capture.kernel_packets | RxPFRbond03 | 492419647
capture.kernel_drops | RxPFRbond03 | 42845268
tcp.sessions | RxPFRbond03 | 8385635
tcp.ssn_memcap_drop | RxPFRbond03 | 0
tcp.pseudo | RxPFRbond03 | 822302
tcp.invalid_checksum | RxPFRbond03 | 0
tcp.no_flow | RxPFRbond03 | 0
tcp.reused_ssn | RxPFRbond03 | 6046
tcp.memuse | RxPFRbond03 | 11537648
tcp.syn | RxPFRbond03 | 8837803
tcp.synack | RxPFRbond03 | 4571846
tcp.rst | RxPFRbond03 | 1773068
tcp.segment_memcap_drop | RxPFRbond03 | 25125565
tcp.stream_depth_reached | RxPFRbond03 | 1527
tcp.reassembly_memuse | RxPFRbond03 | 18446744073584737005
tcp.reassembly_gap | RxPFRbond03 | 1433148
capture.kernel_packets | RxPFRbond04 | 480476000
capture.kernel_drops | RxPFRbond04 | 33911729
tcp.sessions | RxPFRbond04 | 8445070
tcp.ssn_memcap_drop | RxPFRbond04 | 0
tcp.pseudo | RxPFRbond04 | 846767
tcp.invalid_checksum | RxPFRbond04 | 0
tcp.no_flow | RxPFRbond04 | 0
tcp.reused_ssn | RxPFRbond04 | 6037
tcp.memuse | RxPFRbond04 | 11420720
tcp.syn | RxPFRbond04 | 8898042
tcp.synack | RxPFRbond04 | 4648242
tcp.rst | RxPFRbond04 | 1810163
tcp.segment_memcap_drop | RxPFRbond04 | 24907905
tcp.stream_depth_reached | RxPFRbond04 | 1675
tcp.reassembly_memuse | RxPFRbond04 | 18446744073584737005
tcp.reassembly_gap | RxPFRbond04 | 1432792
capture.kernel_packets | RxPFRbond05 | 472165077
capture.kernel_drops | RxPFRbond05 | 19792478
tcp.sessions | RxPFRbond05 | 8584426
tcp.ssn_memcap_drop | RxPFRbond05 | 0
tcp.pseudo | RxPFRbond05 | 883513
tcp.invalid_checksum | RxPFRbond05 | 0
tcp.no_flow | RxPFRbond05 | 0
tcp.reused_ssn | RxPFRbond05 | 6273
tcp.memuse | RxPFRbond05 | 11500976
tcp.syn | RxPFRbond05 | 9046229
tcp.synack | RxPFRbond05 | 4763061
tcp.rst | RxPFRbond05 | 1853137
tcp.segment_memcap_drop | RxPFRbond05 | 24989622
tcp.stream_depth_reached | RxPFRbond05 | 1737
tcp.reassembly_memuse | RxPFRbond05 | 18446744073584737005
tcp.reassembly_gap | RxPFRbond05 | 1435203
capture.kernel_packets | RxPFRbond06 | 462382502
capture.kernel_drops | RxPFRbond06 | 34364858
tcp.sessions | RxPFRbond06 | 8449179
tcp.ssn_memcap_drop | RxPFRbond06 | 0
tcp.pseudo | RxPFRbond06 | 839632
tcp.invalid_checksum | RxPFRbond06 | 0
tcp.no_flow | RxPFRbond06 | 0
tcp.reused_ssn | RxPFRbond06 | 5880
tcp.memuse | RxPFRbond06 | 11420336
tcp.syn | RxPFRbond06 | 8898974
tcp.synack | RxPFRbond06 | 4644933
tcp.rst | RxPFRbond06 | 1801340
tcp.segment_memcap_drop | RxPFRbond06 | 25160551
tcp.stream_depth_reached | RxPFRbond06 | 1505
tcp.reassembly_memuse | RxPFRbond06 | 18446744073584737005
tcp.reassembly_gap | RxPFRbond06 | 1452496
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141224/e9b5e6d3/attachment.html>
More information about the Oisf-users
mailing list