[Oisf-users] Configuration strategy for TCP segment pools/chunk pool

Darren Spruell phatbuckett at gmail.com
Sun May 25 09:26:44 UTC 2014 

Suricata 2.0 REL, Linux 3.10.40, AF_PACKET autofp runmode, 64 GB RAM.

I'm gimping through some Suricata tuning and dealing with high (66%!)
rates of packet loss. I have a number of limits set fairly high and am
looking for signs of what else may be contributing to packet drop.
Wondering currently about this type of output:

25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 4 had a peak
use of 2041 segments, more than the prealloc setting of 256
25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 16 had a
peak use of 105439 segments, more than the prealloc setting of 9216
25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 112 had a
peak use of 396057 segments, more than the prealloc setting of 30720
25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 248 had a
peak use of 189218 segments, more than the prealloc setting of 16384
25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 512 had a
peak use of 506936 segments, more than the prealloc setting of 32768
25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 768 had a
peak use of 434310 segments, more than the prealloc setting of 49152
25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 1448 had a
peak use of 961419 segments, more than the prealloc setting of 131072
25/5/2014 -- 00:36:29 - <Info> - TCP segment pool of size 65535 had a
peak use of 89941 segments, more than the prealloc setting of 32768
25/5/2014 -- 00:36:29 - <Info> - TCP segment chunk pool had a peak use
of 400440 chunks, more than the prealloc setting of 49152

As can be seen a number of the prealloc settings have been raised from
the defaults, and these were set based on a previous set of output
lines from previous run where the preallocated pool size was set to be
slightly higher than the peak use at that time.

I don't quite understand what my aim should be with respect to these
settings. Is it useful to preallocate segment pool capacity to support
the peak use figures a sensor deals with? Are these segment pool
settings potentially important for performance tuning? Could
suboptimal settings potentially affect packet drop on a sensor?

Thanks!

-- 
Darren Spruell
phatbuckett at gmail.com

More information about the Oisf-users mailing list