[Oisf-users] tcp.segment_memcap_drop
Victor Julien
lists at inliniac.net
Thu Jun 26 07:22:17 UTC 2014
On 06/26/2014 09:19 AM, Peter Manev wrote:
> On Wed, Jun 25, 2014 at 3:37 PM, Kurzawa, Kevin
> <kkurzawa at co.pinellas.fl.us> wrote:
>> Using pcap because ... well, I don't know any better? I guess I don't really know the alternatives. PF Ring is the other option right?
>
> There is pcap, pf_ring and af_packet.
>
> af_packet works "out of the box", just make sure your kernel is not
> older than 3.2.
> runmode: workers seems to be the best option for af_packet.
>
> For pf_ring you need to compile and make a module, also make sure your
> kernel is not older than 3.0 (2.6.32 being the bare minimum)
> runmode: workers seems to be the best option for pf_ring as well.
>
>
> Our wiki provides some guidance -
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki
> and then there are a number of articles on the net and on our user
> mail list archives regarding high perf tuning.
>
>>
>> Is this the potential source of the tcp.reassembly_gap?
>
> No
Uh, yes? Packet loss is certainly a big factor in tcp.reassembly_gap.
Stats do show packet loss, so using a faster capture method may
certainly help.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list