[Oisf-users] Questions about stats and packet drops
Cooper F. Nelson
cnelson at ucsd.edu
Wed Jan 7 17:08:04 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Responses inline as well.
On 1/7/2015 8:14 AM, Jose Vila wrote:
>
>> I'm using PF_RING and getting this values for tcp.reassembly_memuse
Ok, well to be honest I've only used AF_PACKET mode, so all my tips may
not be apropos. I've suggested in the past to try setting up a separate
config file using AF_PACKET mode to see if that helps the issue.
>
>> I've had some problems with this options before. Giving a too large
>> number made Suricata unable to start in my config.
>
>> Anyway I'm giving it another shot to see if I can rise their value and
>> get Suri to work.
Again, these are AF_PACKET mode specific optimizations. I'm not an
expert on the differences between the AF_PACKET and PF_RING
implementations, but I think AF_PACKET may have an additional socket
buffer that can help mitigate packet drops vs. PF_RING. But don't quote
me on that!
>
>> So the segment of the stream that passes "depth" size is simply
>> discarded without inspection?
Yes if you have that option set. Setting it to "0" will attempt to
track entire streams, up to your memcap.
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUrWf0AAoJEKIFRYQsa8FWszoH/3APKrlip5x0mahETQOiR0p7
f3YnAqmlDNCMV1sgPdFwXFou45jSlTBN9tLvsfGtlSJcTjMSmhgZBTwgDox3q6ol
as6Enm8rsTXkDgPlQn6X0kTxfehLUJhb4AHn+5co4HUWcUNp4ygDk4sb1xhG/UfG
hY/550Abq1ARd8wvKruSs4eBCSDupgmPSqKblOsf46yKvwIJBt9wFN8MiduhAuas
ZyzSaKp0FbAjmxUNuaZFnrwhlvELXNS5gI7slAhyPboryop/Dm3rnRnDaL1Ixx4w
eTqIX9paf6h/D6mHd68Rv9ESK35mdqL6i0VF0+G5uelCZENvMaxw9EWXEBRgEbM=
=sGzM
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list