[Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
Nelson, Cooper
cnelson at ucsd.edu
Tue Jul 2 21:14:27 UTC 2019
Actually, might want to hold off on this. I’m seeing lots of TRUNCATED files associated with appears to be some sort of streaming traffic, which I think would be expected. I.e., the client just kills the stream at some point for whatever reason.
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Nelson, Cooper
Sent: Tuesday, July 2, 2019 9:51 AM
To: Michał Purzyński <michalpurzynski1 at gmail.com>
Cc: Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] [EXT] Re: Packet loss and increased resource consumption after upgrade to 4.1.2 with Rust support
Fragmented TCP packets will still be directed to the ‘wrong’ RSS queue, but will ultimately be copied to the correct worker thread. They may arrive out-of-order, not sure how much of an issue this is. Something you could do to further test this would be to enable full file logging/extraction and look for files tagged as “TRUNCATED” in the eve logs. That’s a ‘red flag’ that the stream tracking isn’t working properly for big TCP flows. Keep in mind you will always see some truncated files organically; however if you see the same file being truncated that’s indicative of a problem with TCP flow tracking for that particular network.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190702/a25bc67d/attachment.html>
More information about the Oisf-users
mailing list