[Oisf-users] tcp.segment_memcap_drop

Adnan Baykal abaykal at gmail.com
Thu Jun 5 18:17:28 UTC 2014


my bad on "reply all".

I enabled http.log in the yaml file. I dont see any entries in there unless
I enabled midstream.




On Thu, Jun 5, 2014 at 2:08 PM, Peter Manev <petermanev at gmail.com> wrote:

> On Thu, Jun 5, 2014 at 8:04 PM, Adnan Baykal <abaykal at gmail.com> wrote:
> > What I found just now is that if I disable the midstream and asyn
> settings,
> > drops go to 0. Yet, still no HTTP logging.
> >
> >
>
>
> Please do not forget to click "reply all" when you are answering that
> way the user list will see your replies as well.
>
> Which Suricata ver are you using?
> What do you mean 0 http logging - is that in eve.json or in http.log?
> Are all enabled in suricata.yaml?
>
> > On Thu, Jun 5, 2014 at 2:03 PM, Peter Manev <petermanev at gmail.com>
> wrote:
> >>
> >> On Thu, Jun 5, 2014 at 7:56 PM, Adnan Baykal <abaykal at gmail.com> wrote:
> >> > what is this measure? as soon as I start Suri, I get this number in
> 15K
> >> > and
> >> > just keeps going up significantly. Can anyone tell me what effects
> >> > tcp.segment_memcap_drop counter and what can I do to get it down?
> >>
> >> In general you need to increase the stream memcap settings in yaml
> >>
> >> > I have 16GB ram and already have memcap at 6gb and reassembly memcap
> at
> >> > 12GB
> >> > and depth: at 1mb
> >> >
> >> > Thanks
> >> >
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > OISF: http://www.openinfosecfoundation.org/
> >>
> >>
> >> If you have 16 GRAM in total and you have 6+12 in Suricata = 18 you
> >> will go into swap at some point and degrade performance not only for
> >> Suri but for the whole machine as well.
> >>
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> >
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140605/6d9ae924/attachment-0002.html>


More information about the Oisf-users mailing list