[Oisf-users] packet loss troubleshooting

Yasha Zislin coolyasha at hotmail.com
Tue Dec 8 15:14:25 UTC 2015


I am trying to narrow down good config to reduce packet loss. It seems that it is related to reassembly of streams.I keep getting reassembly gaps and therefore packet loss. Here is an example stats.logcapture.kernel_packets    | RxPFReth02                | 455937792capture.kernel_drops      | RxPFReth02                | 2921250dns.memuse                | RxPFReth02                | 248dns.memcap_state          | RxPFReth02                | 0dns.memcap_global         | RxPFReth02                | 0decoder.pkts              | RxPFReth02                | 455937797decoder.bytes             | RxPFReth02                | 251634185655decoder.invalid           | RxPFReth02                | 0decoder.ipv4              | RxPFReth02                | 455937797decoder.ipv6              | RxPFReth02                | 0decoder.ethernet          | RxPFReth02                | 455937797decoder.raw               | RxPFReth02                | 0decoder.null              | RxPFReth02                | 0decoder.sll               | RxPFReth02                | 0decoder.tcp               | RxPFReth02                | 441994599decoder.udp               | RxPFReth02                | 2105539decoder.sctp              | RxPFReth02                | 0decoder.icmpv4            | RxPFReth02                | 11834719decoder.icmpv6            | RxPFReth02                | 0decoder.ppp               | RxPFReth02                | 0decoder.pppoe             | RxPFReth02                | 0decoder.gre               | RxPFReth02                | 0decoder.vlan              | RxPFReth02                | 0decoder.vlan_qinq         | RxPFReth02                | 0decoder.teredo            | RxPFReth02                | 0decoder.ipv4_in_ipv6      | RxPFReth02                | 0decoder.ipv6_in_ipv6      | RxPFReth02                | 0decoder.mpls              | RxPFReth02                | 0decoder.avg_pkt_size      | RxPFReth02                | 551decoder.max_pkt_size      | RxPFReth02                | 1510defrag.ipv4.fragments     | RxPFReth02                | 0defrag.ipv4.reassembled   | RxPFReth02                | 0defrag.ipv4.timeouts      | RxPFReth02                | 0defrag.ipv6.fragments     | RxPFReth02                | 0defrag.ipv6.reassembled   | RxPFReth02                | 0defrag.ipv6.timeouts      | RxPFReth02                | 0defrag.max_frag_hits      | RxPFReth02                | 0tcp.sessions              | RxPFReth02                | 2006412tcp.ssn_memcap_drop       | RxPFReth02                | 0tcp.pseudo                | RxPFReth02                | 967397tcp.pseudo_failed         | RxPFReth02                | 0tcp.invalid_checksum      | RxPFReth02                | 0tcp.no_flow               | RxPFReth02                | 0tcp.memuse                | RxPFReth02                | 115872960tcp.syn                   | RxPFReth02                | 2110195tcp.synack                | RxPFReth02                | 1939793tcp.rst                   | RxPFReth02                | 601837tcp.segment_memcap_drop   | RxPFReth02                | 0tcp.stream_depth_reached  | RxPFReth02                | 12791tcp.reassembly_memuse     | RxPFReth02                | 895804872tcp.reassembly_gap        | RxPFReth02                | 27248http.memuse               | RxPFReth02                | 12684863http.memcap               | RxPFReth02                | 0detect.alert              | RxPFReth02                | 30913
I keep increasing memcaps in stream, reassembly, prealloc session numbers. Segments in reassembly have been tweaked already.
It feels like I am just guessing with memcaps. Is there a better way to know which buffer setting I need to increase?
Thank you. 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151208/4e971684/attachment.html>


More information about the Oisf-users mailing list