Allocating host hash failed: max host memcap is smaller than projected hash size

root@OpenWrt:~# suricata -c /etc/suricata/suricata.yaml -i eth0 -vvvvv
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
8/3/2022 -- 10:57:04 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
8/3/2022 -- 10:57:04 - <Info> - CPUs/cores online: 2
8/3/2022 -- 10:57:04 - <Info> - Found an MTU of 1500 for 'eth0'
8/3/2022 -- 10:57:04 - <Info> - Found an MTU of 1500 for 'eth0'
8/3/2022 -- 10:57:04 - <Error> - [ERRCODE: SC_ERR_HOST_INIT(206)] - allocating host hash failed: max host memcap is smaller than projected hash size. Memcap: 0, Hash table size 262144. Calculate total hash size by multiplying "host.hash-size" with 64, which is the hash bucket size.

Reference previous post: Suricata 5.0.3 and OpenWrt

root@OpenWrt:~# suricata -c /etc/suricata/suricata.yaml --dump-config|grep host
host-mode = auto
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 128mb
root@OpenWrt:~#
root@OpenWrt:~# SC_LOG_LEVEL=Debug SC_LOG_OP_FILTER=“host.c” suricata -c /etc/suricata/suricata.yaml -i eth0
8/3/2022 -- 10:59:10 - <Debug> - SCLogSetOPFilter: filter: “host.c”

Protocol Detection Configuration
IPProto: TCP
    Port: 443
        Destination port: (max-depth: 3, mask - 16)
            alproto: ALPROTO_TLS
            port: 443
            mask: 16
            min_depth: 0
            max_depth: 3

    Port: 139
        Destination port: (max-depth: 36, mask - 256)
            alproto: ALPROTO_SMB
            port: 139
            mask: 256
            min_depth: 0
            max_depth: 36

    Port: 445
        Destination port: (max-depth: 36, mask - 256)
            alproto: ALPROTO_SMB
            port: 445
            mask: 256
            min_depth: 0
            max_depth: 36

    Port: 53
        Destination port: (max-depth: 14, mask - 2048)
            alproto: ALPROTO_DNS
            port: 53
            mask: 2048
            min_depth: 0
            max_depth: 14

    Port: 2049
        Destination port: (max-depth: 32, mask - 32768)
            alproto: ALPROTO_NFS
            port: 2049
            mask: 32768
            min_depth: 0
            max_depth: 32

    Port: 88
        Destination port: (max-depth: 16, mask - 1048576)
            alproto: ALPROTO_KRB5
            port: 88
            mask: 1048576
            min_depth: 0
            max_depth: 16

    Port: 1883
        Destination port: (max-depth: 16, mask - 33554432)
            alproto: ALPROTO_MQTT
            port: 1883
            mask: 33554432
            min_depth: 0
            max_depth: 16

    Port: 3389
        Destination port: (max-depth: 16, mask - 268435456)
impossible
            port: 3389
            mask: 268435456
            min_depth: 0
            max_depth: 16

IPProto: UDP
    Port: 53
        Destination port: (max-depth: 12, mask - 2048)
            alproto: ALPROTO_DNS
            port: 53
            mask: 2048
            min_depth: 0
            max_depth: 12

    Port: 2049
        Destination port: (max-depth: 32, mask - 32768)
            alproto: ALPROTO_NFS
            port: 2049
            mask: 32768
            min_depth: 0
            max_depth: 32

    Port: 123
        Destination port: (max-depth: 16, mask - 65536)
            alproto: ALPROTO_NTP
            port: 123
            mask: 65536
            min_depth: 0
            max_depth: 16

    Port: 69
        Destination port: (max-depth: 4, mask - 262144)
            alproto: ALPROTO_TFTP
            port: 69
            mask: 262144
            min_depth: 0
            max_depth: 4

    Port: 500
        Destination port: (max-depth: 16, mask - 524288)
            alproto: ALPROTO_IKEV2
            port: 500
            mask: 524288
            min_depth: 0
            max_depth: 16

    Port: 88
        Destination port: (max-depth: 16, mask - 1048576)
            alproto: ALPROTO_KRB5
            port: 88
            mask: 1048576
            min_depth: 0
            max_depth: 16

    Port: 67
        Destination port: (max-depth: 16, mask - 2097152)
            alproto: ALPROTO_DHCP
            port: 67
            mask: 2097152
            min_depth: 0
            max_depth: 16

    Port: 68
        Destination port: (max-depth: 16, mask - 2097152)
            alproto: ALPROTO_DHCP
            port: 68
            mask: 2097152
            min_depth: 0
            max_depth: 16

    Port: 161
        Destination port: (max-depth: 16, mask - 4194304)
            alproto: ALPROTO_SNMP
            port: 161
            mask: 4194304
            min_depth: 0
            max_depth: 16

    Port: 162
        Destination port: (max-depth: 16, mask - 4194304)
            alproto: ALPROTO_SNMP
            port: 162
            mask: 4194304
            min_depth: 0
            max_depth: 16

    Port: 5060
        Destination port: (max-depth: 16, mask - 8388608)
            alproto: ALPROTO_SIP
            port: 5060
            mask: 8388608
            min_depth: 0
            max_depth: 16

root@OpenWrt:~#
root@OpenWrt:~# suricata --dump-features
vars = (null)
vars.address-groups = (null)
vars.address-groups.HOME_NET = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
vars.address-groups.EXTERNAL_NET = !$HOME_NET
vars.address-groups.HTTP_SERVERS = $HOME_NET
vars.address-groups.SMTP_SERVERS = $HOME_NET
vars.address-groups.SQL_SERVERS = $HOME_NET
vars.address-groups.DNS_SERVERS = $HOME_NET
vars.address-groups.TELNET_SERVERS = $HOME_NET
vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
vars.address-groups.DC_SERVERS = $HOME_NET
vars.address-groups.DNP3_SERVER = $HOME_NET
vars.address-groups.DNP3_CLIENT = $HOME_NET
vars.address-groups.MODBUS_CLIENT = $HOME_NET
vars.address-groups.MODBUS_SERVER = $HOME_NET
vars.address-groups.ENIP_CLIENT = $HOME_NET
vars.address-groups.ENIP_SERVER = $HOME_NET
vars.port-groups = (null)
vars.port-groups.HTTP_PORTS = 80
vars.port-groups.SHELLCODE_PORTS = !80
vars.port-groups.ORACLE_PORTS = 1521
vars.port-groups.SSH_PORTS = 22
vars.port-groups.DNP3_PORTS = 20000
vars.port-groups.MODBUS_PORTS = 502
vars.port-groups.FILE_DATA_PORTS = [$HTTP_PORTS,110,143]
vars.port-groups.FTP_PORTS = 21
vars.port-groups.GENEVE_PORTS = 6081
vars.port-groups.VXLAN_PORTS = 4789
vars.port-groups.TEREDO_PORTS = 3544
default-log-dir = /var/log/suricata/
stats = (null)
stats.enabled = yes
stats.interval = 8
outputs = (null)
outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
outputs.1 = eve-log
outputs.1.eve-log = (null)
outputs.1.eve-log.enabled = yes
outputs.1.eve-log.filetype = regular
outputs.1.eve-log.filename = eve.json
outputs.1.eve-log.pcap-file = false
outputs.1.eve-log.community-id = false
outputs.1.eve-log.community-id-seed = 0
outputs.1.eve-log.xff = (null)
outputs.1.eve-log.xff.enabled = no
outputs.1.eve-log.xff.mode = extra-data
outputs.1.eve-log.xff.deployment = reverse
outputs.1.eve-log.xff.header = X-Forwarded-For
outputs.1.eve-log.types = (null)
outputs.1.eve-log.types.0 = alert
outputs.1.eve-log.types.0.alert = (null)
outputs.1.eve-log.types.0.alert.tagged-packets = yes
outputs.1.eve-log.types.1 = anomaly
outputs.1.eve-log.types.1.anomaly = (null)
outputs.1.eve-log.types.1.anomaly.enabled = yes
outputs.1.eve-log.types.1.anomaly.types = 
outputs.1.eve-log.types.2 = http
outputs.1.eve-log.types.2.http = (null)
outputs.1.eve-log.types.2.http.extended = yes
outputs.1.eve-log.types.3 = dns
outputs.1.eve-log.types.3.dns = 
outputs.1.eve-log.types.4 = tls
outputs.1.eve-log.types.4.tls = (null)
outputs.1.eve-log.types.4.tls.extended = yes
outputs.1.eve-log.types.5 = files
outputs.1.eve-log.types.5.files = (null)
outputs.1.eve-log.types.5.files.force-magic = no
outputs.1.eve-log.types.6 = smtp
outputs.1.eve-log.types.6.smtp = 
outputs.1.eve-log.types.7 = ftp
outputs.1.eve-log.types.8 = rdp
outputs.1.eve-log.types.9 = nfs
outputs.1.eve-log.types.10 = smb
outputs.1.eve-log.types.11 = tftp
outputs.1.eve-log.types.12 = ikev2
outputs.1.eve-log.types.13 = dcerpc
outputs.1.eve-log.types.14 = krb5
outputs.1.eve-log.types.15 = snmp
outputs.1.eve-log.types.16 = rfb
outputs.1.eve-log.types.17 = sip
outputs.1.eve-log.types.18 = dhcp
outputs.1.eve-log.types.18.dhcp = (null)
outputs.1.eve-log.types.18.dhcp.enabled = yes
outputs.1.eve-log.types.18.dhcp.extended = no
outputs.1.eve-log.types.19 = ssh
outputs.1.eve-log.types.20 = mqtt
outputs.1.eve-log.types.20.mqtt = 
outputs.1.eve-log.types.21 = stats
outputs.1.eve-log.types.21.stats = (null)
outputs.1.eve-log.types.21.stats.totals = yes
outputs.1.eve-log.types.21.stats.threads = no
outputs.1.eve-log.types.21.stats.deltas = no
outputs.1.eve-log.types.22 = flow
outputs.2 = http-log
outputs.2.http-log = (null)
outputs.2.http-log.enabled = no
outputs.2.http-log.filename = http.log
outputs.2.http-log.append = yes
outputs.3 = tls-log
outputs.3.tls-log = (null)
outputs.3.tls-log.enabled = no
outputs.3.tls-log.filename = tls.log
outputs.3.tls-log.append = yes
outputs.4 = tls-store
outputs.4.tls-store = (null)
outputs.4.tls-store.enabled = no
outputs.5 = pcap-log
outputs.5.pcap-log = (null)
outputs.5.pcap-log.enabled = no
outputs.5.pcap-log.filename = log.pcap
outputs.5.pcap-log.limit = 1000mb
outputs.5.pcap-log.max-files = 2000
outputs.5.pcap-log.compression = none
outputs.5.pcap-log.mode = normal
outputs.5.pcap-log.use-stream-depth = no
outputs.5.pcap-log.honor-pass-rules = no
outputs.6 = alert-debug
outputs.6.alert-debug = (null)
outputs.6.alert-debug.enabled = no
outputs.6.alert-debug.filename = alert-debug.log
outputs.6.alert-debug.append = yes
outputs.7 = alert-prelude
outputs.7.alert-prelude = (null)
outputs.7.alert-prelude.enabled = no
outputs.7.alert-prelude.profile = suricata
outputs.7.alert-prelude.log-packet-content = no
outputs.7.alert-prelude.log-packet-header = yes
outputs.8 = stats
outputs.8.stats = (null)
outputs.8.stats.enabled = yes
outputs.8.stats.filename = stats.log
outputs.8.stats.append = yes
outputs.8.stats.totals = yes
outputs.8.stats.threads = no
outputs.9 = syslog
outputs.9.syslog = (null)
outputs.9.syslog.enabled = no
outputs.9.syslog.facility = local5
outputs.10 = file-store
outputs.10.file-store = (null)
outputs.10.file-store.version = 2
outputs.10.file-store.enabled = no
outputs.10.file-store.xff = (null)
outputs.10.file-store.xff.enabled = no
outputs.10.file-store.xff.mode = extra-data
outputs.10.file-store.xff.deployment = reverse
outputs.10.file-store.xff.header = X-Forwarded-For
outputs.11 = tcp-data
outputs.11.tcp-data = (null)
outputs.11.tcp-data.enabled = no
outputs.11.tcp-data.type = file
outputs.11.tcp-data.filename = tcp-data.log
outputs.12 = http-body-data
outputs.12.http-body-data = (null)
outputs.12.http-body-data.enabled = no
outputs.12.http-body-data.type = file
outputs.12.http-body-data.filename = http-data.log
outputs.13 = lua
outputs.13.lua = (null)
outputs.13.lua.enabled = no
outputs.13.lua.scripts = 
logging = (null)
logging.default-log-level = notice
logging.default-output-filter = 
logging.outputs = (null)
logging.outputs.0 = console
logging.outputs.0.console = (null)
logging.outputs.0.console.enabled = yes
logging.outputs.1 = file
logging.outputs.1.file = (null)
logging.outputs.1.file.enabled = yes
logging.outputs.1.file.level = info
logging.outputs.1.file.filename = suricata.log
logging.outputs.2 = syslog
logging.outputs.2.syslog = (null)
logging.outputs.2.syslog.enabled = no
logging.outputs.2.syslog.facility = local5
logging.outputs.2.syslog.format = [%i] <%d> -- 
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = eth0
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_flow
af-packet.0.defrag = yes
af-packet.1 = interface
af-packet.1.interface = default
pcap = (null)
pcap.0 = interface
pcap.0.interface = eth0
pcap.1 = interface
pcap.1.interface = default
pcap-file = (null)
pcap-file.checksum-checks = auto
app-layer = (null)
app-layer.protocols = (null)
app-layer.protocols.rfb = (null)
app-layer.protocols.rfb.enabled = yes
app-layer.protocols.rfb.detection-ports = (null)
app-layer.protocols.rfb.detection-ports.dp = 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
app-layer.protocols.mqtt = 
app-layer.protocols.krb5 = (null)
app-layer.protocols.krb5.enabled = yes
app-layer.protocols.snmp = (null)
app-layer.protocols.snmp.enabled = yes
app-layer.protocols.ikev2 = (null)
app-layer.protocols.ikev2.enabled = yes
app-layer.protocols.tls = (null)
app-layer.protocols.tls.enabled = yes
app-layer.protocols.tls.detection-ports = (null)
app-layer.protocols.tls.detection-ports.dp = 443
app-layer.protocols.dcerpc = (null)
app-layer.protocols.dcerpc.enabled = yes
app-layer.protocols.ftp = (null)
app-layer.protocols.ftp.enabled = yes
app-layer.protocols.rdp = 
app-layer.protocols.ssh = (null)
app-layer.protocols.ssh.enabled = yes
app-layer.protocols.http2 = (null)
app-layer.protocols.http2.enabled = no
app-layer.protocols.http2.http1-rules = no
app-layer.protocols.smtp = (null)
app-layer.protocols.smtp.enabled = yes
app-layer.protocols.smtp.raw-extraction = no
app-layer.protocols.smtp.mime = (null)
app-layer.protocols.smtp.mime.decode-mime = yes
app-layer.protocols.smtp.mime.decode-base64 = yes
app-layer.protocols.smtp.mime.decode-quoted-printable = yes
app-layer.protocols.smtp.mime.header-value-depth = 2000
app-layer.protocols.smtp.mime.extract-urls = yes
app-layer.protocols.smtp.mime.body-md5 = no
app-layer.protocols.smtp.inspected-tracker = (null)
app-layer.protocols.smtp.inspected-tracker.content-limit = 100000
app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size = 32768
app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096
app-layer.protocols.imap = (null)
app-layer.protocols.imap.enabled = detection-only
app-layer.protocols.smb = (null)
app-layer.protocols.smb.enabled = yes
app-layer.protocols.smb.detection-ports = (null)
app-layer.protocols.smb.detection-ports.dp = 139, 445
app-layer.protocols.nfs = (null)
app-layer.protocols.nfs.enabled = yes
app-layer.protocols.tftp = (null)
app-layer.protocols.tftp.enabled = yes
app-layer.protocols.dns = (null)
app-layer.protocols.dns.tcp = (null)
app-layer.protocols.dns.tcp.enabled = yes
app-layer.protocols.dns.tcp.detection-ports = (null)
app-layer.protocols.dns.tcp.detection-ports.dp = 53
app-layer.protocols.dns.udp = (null)
app-layer.protocols.dns.udp.enabled = yes
app-layer.protocols.dns.udp.detection-ports = (null)
app-layer.protocols.dns.udp.detection-ports.dp = 53
app-layer.protocols.http = (null)
app-layer.protocols.http.enabled = yes
app-layer.protocols.http.libhtp = (null)
app-layer.protocols.http.libhtp.default-config = (null)
app-layer.protocols.http.libhtp.default-config.personality = IDS
app-layer.protocols.http.libhtp.default-config.request-body-limit = 100kb
app-layer.protocols.http.libhtp.default-config.response-body-limit = 100kb
app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size = 32kb
app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb
app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size = 40kb
app-layer.protocols.http.libhtp.default-config.response-body-inspect-window = 16kb
app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit = 2
app-layer.protocols.http.libhtp.default-config.http-body-inline = auto
app-layer.protocols.http.libhtp.default-config.swf-decompression = (null)
app-layer.protocols.http.libhtp.default-config.swf-decompression.enabled = yes
app-layer.protocols.http.libhtp.default-config.swf-decompression.type = both
app-layer.protocols.http.libhtp.default-config.swf-decompression.compress-depth = 100kb
app-layer.protocols.http.libhtp.default-config.swf-decompression.decompress-depth = 100kb
app-layer.protocols.http.libhtp.default-config.double-decode-path = no
app-layer.protocols.http.libhtp.default-config.double-decode-query = no
app-layer.protocols.http.libhtp.server-config = 
app-layer.protocols.modbus = (null)
app-layer.protocols.modbus.enabled = no
app-layer.protocols.modbus.detection-ports = (null)
app-layer.protocols.modbus.detection-ports.dp = 502
app-layer.protocols.modbus.stream-depth = 0
app-layer.protocols.dnp3 = (null)
app-layer.protocols.dnp3.enabled = no
app-layer.protocols.dnp3.detection-ports = (null)
app-layer.protocols.dnp3.detection-ports.dp = 20000
app-layer.protocols.enip = (null)
app-layer.protocols.enip.enabled = no
app-layer.protocols.enip.detection-ports = (null)
app-layer.protocols.enip.detection-ports.dp = 44818
app-layer.protocols.enip.detection-ports.sp = 44818
app-layer.protocols.ntp = (null)
app-layer.protocols.ntp.enabled = yes
app-layer.protocols.dhcp = (null)
app-layer.protocols.dhcp.enabled = yes
app-layer.protocols.sip = 
asn1-max-frames = 256
coredump = (null)
coredump.max-dump = unlimited
host-mode = auto
unix-command = (null)
unix-command.enabled = auto
legacy = (null)
legacy.uricontent = enabled
engine-analysis = (null)
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
pcre = (null)
pcre.match-limit = 3500
pcre.match-limit-recursion = 1500
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
defrag = (null)
defrag.memcap = 32mb
defrag.hash-size = 65536
defrag.trackers = 65535
defrag.max-frags = 65535
defrag.prealloc = yes
defrag.timeout = 60
flow = (null)
flow.memcap = 128mb
flow.hash-size = 65536
flow.prealloc = 10000
flow.emergency-recovery = 30
vlan = (null)
vlan.use-for-tracking = true
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 30
flow-timeouts.default.established = 300
flow-timeouts.default.closed = 0
flow-timeouts.default.bypassed = 100
flow-timeouts.default.emergency-new = 10
flow-timeouts.default.emergency-established = 100
flow-timeouts.default.emergency-closed = 0
flow-timeouts.default.emergency-bypassed = 50
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 60
flow-timeouts.tcp.established = 600
flow-timeouts.tcp.closed = 60
flow-timeouts.tcp.bypassed = 100
flow-timeouts.tcp.emergency-new = 5
flow-timeouts.tcp.emergency-established = 100
flow-timeouts.tcp.emergency-closed = 10
flow-timeouts.tcp.emergency-bypassed = 50
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 30
flow-timeouts.udp.established = 300
flow-timeouts.udp.bypassed = 100
flow-timeouts.udp.emergency-new = 10
flow-timeouts.udp.emergency-established = 100
flow-timeouts.udp.emergency-bypassed = 50
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 30
flow-timeouts.icmp.established = 300
flow-timeouts.icmp.bypassed = 100
flow-timeouts.icmp.emergency-new = 10
flow-timeouts.icmp.emergency-established = 100
flow-timeouts.icmp.emergency-bypassed = 50
stream = (null)
stream.memcap = 64mb
stream.checksum-validation = yes
stream.inline = auto
stream.reassembly = (null)
stream.reassembly.memcap = 256mb
stream.reassembly.depth = 1mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
stream.reassembly.randomize-chunk-size = yes
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 128mb
decoder = (null)
decoder.teredo = (null)
decoder.teredo.enabled = true
decoder.teredo.ports = $TEREDO_PORTS
decoder.vxlan = (null)
decoder.vxlan.enabled = true
decoder.vxlan.ports = $VXLAN_PORTS
decoder.vntag = (null)
decoder.vntag.enabled = false
decoder.geneve = (null)
decoder.geneve.enabled = true
decoder.geneve.ports = $GENEVE_PORTS
detect = (null)
detect.profile = medium
detect.custom-values = (null)
detect.custom-values.toclient-groups = 3
detect.custom-values.toserver-groups = 25
detect.sgh-mpm-context = auto
detect.inspection-recursion-limit = 3000
detect.prefilter = (null)
detect.prefilter.default = mpm
detect.grouping = 
detect.profiling = (null)
detect.profiling.grouping = (null)
detect.profiling.grouping.dump-to-disk = false
detect.profiling.grouping.include-rules = false
detect.profiling.grouping.include-mpm-stats = false
mpm-algo = auto
spm-algo = auto
threading = (null)
threading.set-cpu-affinity = no
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
threading.cpu-affinity.2 = worker-cpu-set
threading.cpu-affinity.2.worker-cpu-set = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu.0 = all
threading.cpu-affinity.2.worker-cpu-set.mode = exclusive
threading.cpu-affinity.2.worker-cpu-set.prio = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0
threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1-2
threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 3
threading.cpu-affinity.2.worker-cpu-set.prio.default = medium
threading.detect-thread-ratio = 1.0
luajit = (null)
luajit.states = 128
profiling = (null)
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = rule_perf.log
profiling.rules.append = yes
profiling.rules.limit = 10
profiling.rules.json = yes
profiling.keywords = (null)
profiling.keywords.enabled = yes
profiling.keywords.filename = keyword_perf.log
profiling.keywords.append = yes
profiling.prefilter = (null)
profiling.prefilter.enabled = yes
profiling.prefilter.filename = prefilter_perf.log
profiling.prefilter.append = yes
profiling.rulegroups = (null)
profiling.rulegroups.enabled = yes
profiling.rulegroups.filename = rule_group_perf.log
profiling.rulegroups.append = yes
profiling.packets = (null)
profiling.packets.enabled = yes
profiling.packets.filename = packet_stats.log
profiling.packets.append = yes
profiling.packets.csv = (null)
profiling.packets.csv.enabled = no
profiling.packets.csv.filename = packet_stats.csv
profiling.locks = (null)
profiling.locks.enabled = no
profiling.locks.filename = lock_stats.log
profiling.locks.append = yes
profiling.pcap-log = (null)
profiling.pcap-log.enabled = no
profiling.pcap-log.filename = pcaplog_stats.log
profiling.pcap-log.append = yes
nfq = 
nflog = (null)
nflog.0 = group
nflog.0.group = 2
nflog.0.buffer-size = 18432
nflog.1 = group
nflog.1.group = default
nflog.1.qthreshold = 1
nflog.1.qtimeout = 100
nflog.1.max-size = 20000
capture = 
netmap = (null)
netmap.0 = interface
netmap.0.interface = eth2
netmap.1 = interface
netmap.1.interface = default
pfring = (null)
pfring.0 = interface
pfring.0.interface = eth0
pfring.0.threads = auto
pfring.0.cluster-id = 99
pfring.0.cluster-type = cluster_flow
pfring.1 = interface
pfring.1.interface = default
ipfw = 
napatech = (null)
napatech.streams = (null)
napatech.streams.0 = 0-3
napatech.enable-stream-stats = no
napatech.auto-config = yes
napatech.hardware-bypass = yes
napatech.inline = no
napatech.ports = (null)
napatech.ports.0 = 0-1
napatech.ports.1 = 2-3
napatech.hashmode = hash5tuplesorted
default-rule-path = /etc/suricata/rules
rule-files = (null)
rule-files.0 = suricata.rules
classification-file = /etc/suricata/classification.config
reference-config-file = /etc/suricata/reference.config

This is what @vjulien asked for last time. @ish if you have any suggestions, I’m open.

I’m not able to replicate this issue with the default configuration settings for host nor the configuration settings that you’re using. I tried 6.0.4 and master.

The error is being triggered because the host.memcap value has it’s initial, default value instead of being overridden with the value in host.memcap. The error message states that it needs 256KB but the memcap value is 0.

If you are able to use gdb could you print the value of host_config at line 233 of host.c?

I have access to gdb/remote-gdb, but I’ve never used it for anything substantial. If you tell me how to do it once I’m in gdb, I can get you whatever you need.

Don,

Are you able to rebuild suricata? if so, i’ll provide a simple diff to get the info I was looking for.

Sure. Keep in mind that I am cross-compiling x86_64-gnu to mips64-musl, I don’t know if that makes a difference or not. Everything from rust/cargo to libhtp to suricata is source-built on my end, it’s just a matter of getting to whatever info you are looking for

Sorry, Anything source-wise you need me to change, I can. It just takes a bit more hand-waving on my end. I clone the repo, so it should all “just work” with whatever you send me (OpenWrt’s build system is perfectly able to handle on the fly patching, so a standard a/b patch is appreciated!)

The diff is pretty minor

$ git diff
diff --git a/src/host.c b/src/host.c
index 5480d1b45..e2ee348ef 100644
--- a/src/host.c
+++ b/src/host.c
@@ -197,6 +197,7 @@ void HostInitConfig(char quiet)
     /** set config values for memcap, prealloc and hash_size */
     if ((ConfGetValue("host.memcap", &conf_val)) == 1)
     {
+        SCLogNotice("Using host.memcap = %s", conf_val);
         uint64_t host_memcap = 0;
         if (ParseSizeStringU64(conf_val, &host_memcap) < 0) {
             SCLogError(SC_ERR_SIZE_PARSE, "Error parsing host.memcap "
@@ -209,6 +210,7 @@ void HostInitConfig(char quiet)
     }
     if ((ConfGetValue("host.hash-size", &conf_val)) == 1)
     {
+        SCLogNotice("Using host.hash-size = %s", conf_val);
         if (StringParseUint32(&configval, 10, strlen(conf_val),
                                     conf_val) > 0) {
             host_config.hash_size = configval;
@@ -217,6 +219,7 @@ void HostInitConfig(char quiet)

     if ((ConfGetValue("host.prealloc", &conf_val)) == 1)
     {
+        SCLogNotice("Using host.prealloc = %s", conf_val);
         if (StringParseUint32(&configval, 10, strlen(conf_val),
                                     conf_val) > 0) {
             host_config.prealloc = configval;
@@ -224,7 +227,7 @@ void HostInitConfig(char quiet)
             WarnInvalidConfEntry("host.prealloc", "%"PRIu32, host_config.prealloc);
         }
     }
-    SCLogDebug("Host config from suricata.yaml: memcap: %"PRIu64", hash-size: "
+    SCLogNotice("Host config from suricata.yaml: memcap: %"PRIu64", hash-size: "
                "%"PRIu32", prealloc: %"PRIu32, SC_ATOMIC_GET(host_config.memcap),
                host_config.hash_size, host_config.prealloc);

Compile/build/install and you will see something similar to:

10/3/2022 -- 08:12:17 - <Notice> - This is Suricata version 6.0.4 RELEASE running in USER mode
10/3/2022 -- 08:12:17 - <Notice> - Using host.memcap = 32mb
10/3/2022 -- 08:12:17 - <Notice> - Using host.hash-size = 4096
10/3/2022 -- 08:12:17 - <Notice> - Using host.prealloc = 1000
10/3/2022 -- 08:12:17 - <Notice> - Host config from suricata.yaml: memcap: 33554432, hash-size: 4096, prealloc: 1000
10/3/2022 -- 08:12:18 - <Notice> - all 17 packet processing threads, 4 management threads initialized, engine started.
10/3/2022 -- 08:12:18 - <Notice> - Signal Received.  Stopping engine.
10/3/2022 -- 08:12:18 - <Notice> - Pcap-file module read 1 files, 32 packets, 7037 bytes
root@OpenWrt:~# suricata -vvvvv -c /etc/suricata/suricata.yaml -i eth0
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
10/3/2022 -- 19:09:05 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
10/3/2022 -- 19:09:05 - <Info> - CPUs/cores online: 2
10/3/2022 -- 19:09:05 - <Info> - Found an MTU of 1500 for 'eth0'
10/3/2022 -- 19:09:05 - <Info> - Found an MTU of 1500 for 'eth0'
10/3/2022 -- 19:09:05 - <Notice> - Using host.memcap = 32mb
10/3/2022 -- 19:09:05 - <Notice> - Using host.hash-size = 4096
10/3/2022 -- 19:09:05 - <Notice> - Using host.prealloc = 1000
10/3/2022 -- 19:09:05 - <Notice> - Host config from suricata.yaml: memcap: 0, hash-size: 4096, prealloc: 1000
10/3/2022 -- 19:09:05 - <Error> - [ERRCODE: SC_ERR_HOST_INIT(206)] - allocating host hash failed: max host memcap is smaller than projected hash size. Memcap: 0, Hash table size 262144. Calculate total hash size by multiplying "host.hash-size" with 64, which is the hash bucket size.
root@OpenWrt:~#

My suricata.yaml:

Thanks … I’ve made a slight modification to display the value of host.memcap before and after storing into an atomic variable.

 $ git diff
diff --git a/src/host.c b/src/host.c
index 5480d1b45..719c41575 100644
--- a/src/host.c
+++ b/src/host.c
@@ -197,6 +197,7 @@ void HostInitConfig(char quiet)
     /** set config values for memcap, prealloc and hash_size */
     if ((ConfGetValue("host.memcap", &conf_val)) == 1)
     {
+        SCLogNotice("Using host.memcap = %s", conf_val);
         uint64_t host_memcap = 0;
         if (ParseSizeStringU64(conf_val, &host_memcap) < 0) {
             SCLogError(SC_ERR_SIZE_PARSE, "Error parsing host.memcap "
@@ -204,11 +205,14 @@ void HostInitConfig(char quiet)
                        conf_val);
             exit(EXIT_FAILURE);
         } else {
+            SCLogNotice("Setting host_config.memcap to %" PRIu64, host_memcap);
             SC_ATOMIC_SET(host_config.memcap, host_memcap);
+            SCLogNotice("host_config.memcap is now  %" PRIu64, SC_ATOMIC_GET(host_config.memcap));
         }
     }
     if ((ConfGetValue("host.hash-size", &conf_val)) == 1)
     {
+        SCLogNotice("Using host.hash-size = %s", conf_val);
         if (StringParseUint32(&configval, 10, strlen(conf_val),
                                     conf_val) > 0) {
             host_config.hash_size = configval;
@@ -217,6 +221,7 @@ void HostInitConfig(char quiet)

     if ((ConfGetValue("host.prealloc", &conf_val)) == 1)
     {
+        SCLogNotice("Using host.prealloc = %s", conf_val);
         if (StringParseUint32(&configval, 10, strlen(conf_val),
                                     conf_val) > 0) {
             host_config.prealloc = configval;
@@ -224,7 +229,7 @@ void HostInitConfig(char quiet)
             WarnInvalidConfEntry("host.prealloc", "%"PRIu32, host_config.prealloc);
         }
     }
-    SCLogDebug("Host config from suricata.yaml: memcap: %"PRIu64", hash-size: "
+    SCLogNotice("Host config from suricata.yaml: memcap: %"PRIu64", hash-size: "
                "%"PRIu32", prealloc: %"PRIu32, SC_ATOMIC_GET(host_config.memcap),
                host_config.hash_size, host_config.prealloc);

Could you apply this diff and update the results?

root@OpenWrt:/# suricata -vvvvv -c /etc/suricata/suricata.yaml -i eth0
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
12/3/2022 -- 02:01:44 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
12/3/2022 -- 02:01:44 - <Info> - CPUs/cores online: 2
12/3/2022 -- 02:01:45 - <Info> - Found an MTU of 1500 for 'eth0'
12/3/2022 -- 02:01:45 - <Info> - Found an MTU of 1500 for 'eth0'
12/3/2022 -- 02:01:45 - <Notice> - Using host.memcap = 32mb
12/3/2022 -- 02:01:45 - <Notice> - Setting host_config.memcap to 0
12/3/2022 -- 02:01:45 - <Notice> - host_config.memcap is now  0
12/3/2022 -- 02:01:45 - <Notice> - Using host.hash-size = 4096
12/3/2022 -- 02:01:45 - <Notice> - Using host.prealloc = 1000
12/3/2022 -- 02:01:45 - <Notice> - Host config from suricata.yaml: memcap: 0, hash-size: 4096, prealloc: 1000
12/3/2022 -- 02:01:45 - <Error> - [ERRCODE: SC_ERR_HOST_INIT(206)] - allocating host hash failed: max host memcap is smaller than projected hash size. Memcap: 0, Hash table size 262144. Calculate total hash size by multiplying "host.hash-size" with 64, which is the hash bucket size.
root@OpenWrt:/#

Don,

Hmmmm … Could you set the host.memcap value to 33554432 instead of 32mb?

host:
   memcap: 33554432
root@OpenWrt:/# suricata -vvvvv -c /etc/suricata/suricata.yaml -i eth0
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
12/3/2022 -- 18:12:04 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
12/3/2022 -- 18:12:04 - <Info> - CPUs/cores online: 2
12/3/2022 -- 18:12:04 - <Info> - Found an MTU of 1500 for 'eth0'
12/3/2022 -- 18:12:04 - <Info> - Found an MTU of 1500 for 'eth0'
12/3/2022 -- 18:12:04 - <Notice> - Using host.memcap = 33554432
12/3/2022 -- 18:12:04 - <Notice> - Setting host_config.memcap to 0
12/3/2022 -- 18:12:04 - <Notice> - host_config.memcap is now  0
12/3/2022 -- 18:12:04 - <Notice> - Using host.hash-size = 4096
12/3/2022 -- 18:12:04 - <Notice> - Using host.prealloc = 1000
12/3/2022 -- 18:12:04 - <Notice> - Host config from suricata.yaml: memcap: 0, hash-size: 4096, prealloc: 1000
12/3/2022 -- 18:12:04 - <Error> - [ERRCODE: SC_ERR_HOST_INIT(206)] - allocating host hash failed: max host memcap is smaller than projected hash size. Memcap: 0, Hash table size 262144. Calculate total hash size by multiplying "host.hash-size" with 64, which is the hash bucket size.
root@OpenWrt:/#

Edit: If it helps, you can find me on the Libera IRC

Can we try commenting out the configuration entry for host.memcap? That will cause the default value to be used without trying to extract and parse from the config file.

Thanks

root@OpenWrt:~# suricata -vvvvv -c /etc/suricata/suricata.yaml -i eth0
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
14/3/2022 -- 16:37:53 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
14/3/2022 -- 16:37:53 - <Info> - CPUs/cores online: 2
14/3/2022 -- 16:37:53 - <Info> - Found an MTU of 1500 for 'eth0'
14/3/2022 -- 16:37:53 - <Info> - Found an MTU of 1500 for 'eth0'
14/3/2022 -- 16:37:53 - <Notice> - Using host.hash-size = 4096
14/3/2022 -- 16:37:53 - <Notice> - Using host.prealloc = 1000
14/3/2022 -- 16:37:53 - <Notice> - Host config from suricata.yaml: memcap: 16777216, hash-size: 4096, prealloc: 1000
14/3/2022 -- 16:37:53 - <Error> - [ERRCODE: SC_ERR_DEFRAG_INIT(213)] - allocating defrag hash failed: max defrag memcap is smaller than projected hash size. Memcap: 0, Hash table size 3670016. Calculate total hash size by multiplying "defrag.hash-size" with 56, which is the hash bucket size.
root@OpenWrt:~#

and if I comment out the entire host section:

root@OpenWrt:~# suricata -vvvvv -c /etc/suricata/suricata.yaml -i eth0
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
14/3/2022 -- 17:05:06 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
14/3/2022 -- 17:05:06 - <Info> - CPUs/cores online: 2
14/3/2022 -- 17:05:06 - <Info> - Found an MTU of 1500 for 'eth0'
14/3/2022 -- 17:05:06 - <Info> - Found an MTU of 1500 for 'eth0'
14/3/2022 -- 17:05:06 - <Notice> - Host config from suricata.yaml: memcap: 16777216, hash-size: 4096, prealloc: 1000
14/3/2022 -- 17:05:06 - <Error> - [ERRCODE: SC_ERR_DEFRAG_INIT(213)] - allocating defrag hash failed: max defrag memcap is smaller than projected hash size. Memcap: 0, Hash table size 3670016. Calculate total hash size by multiplying "defrag.hash-size" with 56, which is the hash bucket size.
root@OpenWrt:~#

When I removed ALL of the memcap calls, I get the following:

root@OpenWrt:~# suricata -vvvvv -c /etc/suricata/suricata.yaml -i eth0
Warning: Invalid/No global_log_level assigned by user.  Falling back on the default_log_level "Info"
14/3/2022 -- 21:03:50 - <Notice> - This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
14/3/2022 -- 21:03:50 - <Info> - CPUs/cores online: 2
14/3/2022 -- 21:03:50 - <Info> - Found an MTU of 1500 for 'eth0'
14/3/2022 -- 21:03:50 - <Info> - Found an MTU of 1500 for 'eth0'
14/3/2022 -- 21:03:50 - <Notice> - Host config from suricata.yaml: memcap: 16777216, hash-size: 4096, prealloc: 1000
14/3/2022 -- 21:03:50 - <Info> - fast output device (regular) initialized: fast.log
14/3/2022 -- 21:03:50 - <Info> - eve-log output device (regular) initialized: eve.json
14/3/2022 -- 21:03:50 - <Info> - stats output device (regular) initialized: stats.log
14/3/2022 -- 21:03:50 - <Info> - Running in live mode, activating unix socket
14/3/2022 -- 21:03:50 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/suricata.rules
14/3/2022 -- 21:03:50 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
14/3/2022 -- 21:03:50 - <Info> - Threshold config parsed: 0 rule(s) found
14/3/2022 -- 21:03:50 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
14/3/2022 -- 21:03:50 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth0': Not supported (122)
14/3/2022 -- 21:03:50 - <Info> - Going to use 1 thread(s)
14/3/2022 -- 21:03:51 - <Info> - Running in live mode, activating unix socket
14/3/2022 -- 21:03:51 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
14/3/2022 -- 21:03:51 - <Info> - Created socket directory /var/run/suricata/
14/3/2022 -- 21:03:51 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
14/3/2022 -- 21:03:51 - <Info> - All AFP capture threads are running.

Edit: I’m just ecstatic it doesn’t seem to be an issue I caused :smiley: Other than being an outlier use-case, of course

Jeff,

Should I leave this un-Solved for now (removing the memcap calls obviously isn’t right, but it does seem to correct the issue enough to load, I’ve not tested past that) or close it out?

What’s your preference?

What’s the runtime environment again? I’ll try to reproduce locally.

For the near term, making changes so you can have forward progress seems right. I’ll try to figure out how to repro locally.

Thanks for your help!

This is running on an Itus Networks Shield (ITUS Networks Shield Pro - TechInfoDepot) running Kernel 5.4 MIPS64be (mips64-openwrt-linux-musl) on the OpenWrt master branch, which is probably going to make it an issue for you to test :frowning:

Currently, my goal is to get Suricata working across the various build-tree targets available to OpenWrt. I posted in the dev section about an issue I’m having with x86_64 (Passing CFLAGS=-fPIE to rust build system) and upstream to rust-lang the tuples required (currently, I patch in the tuples locally to the rust-lang toolchain), so while I can do some additional testing for things like rules use, etc, I’m not looking to actually use Suricata at the moment until after I clear through all the testing I have to do.

You, @ish, and @vjulien been an immense resource throughout my entire journey on this, and I can’t thank you all enough. I am at your disposal for any testing you need. The patch format you’ve sent me is perfect as I literally just drop it into a directory and the build-system takes care of the rest

grommish@DESKTOP-AW:~/openwrt/feeds/packages/net/suricata6/patches$ ls
00-fix-soft-float.patch  01-fix_log.patch
grommish@DESKTOP-AW:~/openwrt/feeds/packages/net/suricata6/patches$

So, whatever you need, feel free to impose!

Edit: This is not my production device, so testing is not an issue for this platform, at least

Thanks. I suspect that something with SC_ATOMIC_GET isn’t working well. This macro is used in many places throughout Suricata so I suspect there’s something unique to its usage in src/host.c

Our CI uses Alma8 which includes musl. I don’t know if we have any big-endian CI runners yet. Will continue to look

I noticed an interesting display issue when testing:

Date: 3/25/2022 -- 01:43:13 (uptime: -24855d, -3h -14m -8s

root@OpenWrt:/# tail -52 /var/log/suricata/stats.log
------------------------------------------------------------------------------------
Date: 3/25/2022 -- 01:43:13 (uptime: -24855d, -3h -14m -8s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                        | Total                     | 268428
capture.kernel_drops                          | Total                     | 32
decoder.pkts                                  | Total                     | 268396
decoder.bytes                                 | Total                     | 34158820
decoder.ipv4                                  | Total                     | 103178
decoder.ipv6                                  | Total                     | 15243
decoder.ethernet                              | Total                     | 268396
decoder.tcp                                   | Total                     | 6998
decoder.udp                                   | Total                     | 93868
decoder.icmpv4                                | Total                     | 151
decoder.icmpv6                                | Total                     | 10597
decoder.avg_pkt_size                          | Total                     | 127
decoder.max_pkt_size                          | Total                     | 1514
flow.tcp                                      | Total                     | 13
flow.udp                                      | Total                     | 10392
flow.icmpv4                                   | Total                     | 6
flow.icmpv6                                   | Total                     | 1866
flow.wrk.spare_sync_avg                       | Total                     | 100
flow.wrk.spare_sync                           | Total                     | 99
decoder.event.ipv4.opt_pad_required           | Total                     | 6807
decoder.event.ipv6.zero_len_padn              | Total                     | 1833
flow.wrk.flows_evicted_needs_work             | Total                     | 9
flow.wrk.flows_evicted_pkt_inject             | Total                     | 11
flow.wrk.flows_evicted                        | Total                     | 2393
flow.wrk.flows_injected                       | Total                     | 9
tcp.sessions                                  | Total                     | 13
tcp.syn                                       | Total                     | 13
tcp.synack                                    | Total                     | 11
tcp.rst                                       | Total                     | 21
tcp.reassembly_gap                            | Total                     | 2
app_layer.flow.tls                            | Total                     | 11
app_layer.flow.ntp                            | Total                     | 328
app_layer.tx.ntp                              | Total                     | 328
app_layer.flow.dhcp                           | Total                     | 14
app_layer.tx.dhcp                             | Total                     | 24
app_layer.flow.failed_udp                     | Total                     | 10050
flow.mgr.full_hash_pass                       | Total                     | 311
flow.spare                                    | Total                     | 9896
flow.mgr.rows_maxlen                          | Total                     | 2
flow.mgr.flows_checked                        | Total                     | 13065
flow.mgr.flows_notimeout                      | Total                     | 3259
flow.mgr.flows_timeout                        | Total                     | 9806
flow.mgr.flows_evicted                        | Total                     | 9806
flow.mgr.flows_evicted_needs_work             | Total                     | 9
tcp.memuse                                    | Total                     | 1212416
tcp.reassembly_memuse                         | Total                     | 688128
flow.memuse                                   | Total                     | 7394304
root@OpenWrt:/#