[Oisf-users] Questions about stats and packet drops

Cooper F. Nelson cnelson at ucsd.edu
Wed Jan 7 17:08:04 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Responses inline as well.

On 1/7/2015 8:14 AM, Jose Vila wrote:
> 
>> I'm using PF_RING and getting this values for tcp.reassembly_memuse

Ok, well to be honest I've only used AF_PACKET mode, so all my tips may
not be apropos.  I've suggested in the past to try setting up a separate
config file using AF_PACKET mode to see if that helps the issue.

> 
>> I've had some problems with this options before. Giving a too large
>> number made Suricata unable to start in my config.
> 
>> Anyway I'm giving it another shot to see if I can rise their value and
>> get Suri to work.

Again, these are AF_PACKET mode specific optimizations.  I'm not an
expert on the differences between the AF_PACKET and PF_RING
implementations, but I think AF_PACKET may have an additional socket
buffer that can help mitigate packet drops vs. PF_RING.  But don't quote
me on that!

> 
>> So the segment of the stream that passes "depth" size is simply
>> discarded without inspection?

Yes if you have that option set.  Setting it to "0" will attempt to
track entire streams, up to your memcap.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUrWf0AAoJEKIFRYQsa8FWszoH/3APKrlip5x0mahETQOiR0p7
f3YnAqmlDNCMV1sgPdFwXFou45jSlTBN9tLvsfGtlSJcTjMSmhgZBTwgDox3q6ol
as6Enm8rsTXkDgPlQn6X0kTxfehLUJhb4AHn+5co4HUWcUNp4ygDk4sb1xhG/UfG
hY/550Abq1ARd8wvKruSs4eBCSDupgmPSqKblOsf46yKvwIJBt9wFN8MiduhAuas
ZyzSaKp0FbAjmxUNuaZFnrwhlvELXNS5gI7slAhyPboryop/Dm3rnRnDaL1Ixx4w
eTqIX9paf6h/D6mHd68Rv9ESK35mdqL6i0VF0+G5uelCZENvMaxw9EWXEBRgEbM=
=sGzM
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list