[Oisf-users] Grows the value 'TCP reassembly gaps'

Andreas Herz andi at geekosphere.org
Wed Feb 15 20:27:51 UTC 2017

On 14/02/17 at 11:30, Бунин Владимир wrote:
>    Hello!
>    I tried to find the solution on the Internet but only in one post
>    ([1]https://lists.openinfosecfoundation.org/pipermail/oisf-users/2012-A
>    pril/001560.html) was said that this value means the counter of lost
>    packets. Why does it happen? The counter of kernel dropped packets is
>    clean, others problem indicators are clean too. But TCP reassembly gaps
>    grows extremely. Can it be because of slow speed of hard drive? Or CPU
>    speed? At the same time CPU and memory are not overloaded. CPU
>    utilization is about 20%, sometimes increases to 70%, total memory is
>    16Gb, available 11Gb.

Could you be a little more verbose about your setup and how you run
suricata, like runmode/packetcapture and version?

Andreas Herz

More information about the Oisf-users mailing list