[Oisf-users] tcp.segment_memcap_drop

Kurzawa, Kevin kkurzawa at co.pinellas.fl.us
Wed Jun 11 13:52:05 UTC 2014 

This is Suricata version 2.0 RELEASE

Yea, that number tcp.reassembly_memuse shot up the other day suddenly. I restarted Suricata yesterday afternoon and here are the new relavent numbers. 

-------------------------------------------------------------------
Date: 6/11/2014 -- 09:11:12 (uptime: 0d, 16h 08m 30s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
capture.kernel_packets    | RxPcapbond01              | 405967168
capture.kernel_drops      | RxPcapbond01              | 449953
capture.kernel_ifdrops    | RxPcapbond01              | 0
tcp.sessions              | Detect                    | 4552548
tcp.ssn_memcap_drop       | Detect                    | 0
tcp.segment_memcap_drop   | Detect                    | 8401072
tcp.stream_depth_reached  | Detect                    | 3298
tcp.reassembly_memuse     | Detect                    | 8589934576
tcp.reassembly_gap        | Detect                    | 1902749

My related entries from suricata.yaml: 

stream:
  memcap: 2gb
  reassembly:
    memcap: 2gb
    depth: 1mb                

I checked my memory usage and am at 3gb out of 8gb's at the time of the above statistics.

I'm assuming that the tcp.reassembly_memuse not what I think it is. It shows 8.5gb's at the moment but ... not sure why. Is there a bug or some error between the chair and the keyboard?

Where does the tcp.reassembly_gap come into play with these numbers also?


-----Original Message-----
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Tuesday, June 10, 2014 4:39 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] tcp.segment_memcap_drop

On 06/09/2014 04:50 PM, Kurzawa, Kevin wrote:
> Regarding the statistic tcp.segment_memcap_drop
> 
>  
> 
> What is this statistic compared to?
> 
> tcp.ssn_memcap_drop is compared to tcp.sessions
> 
> capture.kernel_drops is compared to capture.kernel_packets
> 
> But what is tcp.segment_memcap_drop compared to?

It relates to tcp.reassembly_memuse. If the tcp.segment_memcap_drop counter is increased, it means that the stream engine is out of reassembly memory.

>  
> 
> What should this drop rate be? Under 1% like the capture.kernel_drops?

Ideally it's 0.

> tcp.reassembly_memuse            | Detect                    |
> 18446744073420130184

This value looks like a bug here. What suri version are you running?

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list