Question on tcpreassembly-memuse

antsknows · August 6, 2024, 7:59am

Please include the following information with your help request:

Suricata version
7.0.6

Operating system and/or Linux distribution
Ubuntu 20.04、 REHT 7.5

How you installed Suricata (from source, packages, something else)
From source, configure and make

Hello suricata team,
I’ve confuesd by the tcp-reassembly config

reassembly:
    memcap: 256mb             # Can be specified in kb, mb, gb.  Just a number

I’ve found that the reassembly memuse grows with flow memcap, but there is no limit:
once flow memcap reached 20GB, no matter how large reassembly-memcap i give it to suricata,finally it will run out all of them.

And in different reassembly memcap (40GB,60GB,80GB,160GB), the kernel_drop_delta, kernel_packets_delta, active_tcp, active_session, spare_num and so on stats are the same.I’m not sure if there is other important stats will be different but i did not notice.

So is there any formula that can calulate the tcp reassembly memcap according to other config?
or some suggestion that how to configure the corresponding tcp reassembly memcap under different traffic conditions（2Gb/s ,4Gb/s ,10Gb/s or more)

Thanks.

Andreas_Herz · August 7, 2024, 8:11pm

Could you add your full suricata.yaml as well es suricata.log and stats.log to do some basic checks?

Also the run command that you use for Suricata.

antsknows · August 8, 2024, 6:09am

Sorry It’s running in production env, i can’t copy out all of them. But here’s some config differ from standerd suricata.yaml.

flow:
  memcap: 10Gb
  #memcap-policy: ignore
  hash-size: 3000000
  prealloc: 10000000
  emergency-recovery: 20
  managers: 2 # default to one flow manager
  recyclers: 2 # default to one flow recycler thread

stream:
  memcap: 24gb
  #memcap-policy: ignore
  checksum-validation: yes      # reject incorrect csums
  midstream: true
  midstream-policy: ignore
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    memcap: "from 40gb 60gb to 160gb all ok"
    #memcap-policy: ignore
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes

and the stats.log i care about:

stats.capture.kernel_drops_delta: 0
stats.capture.kernel_packets_delta: 17547612
stats.tcp.insert_data_normal_fail_delta:0
stats.tcp.reassembly_gap:930041
stats.flow.active: 669762
stats.tcp.active_sessions:524099
stats.flow.memuse:2.94Gb
stats.http.memuse:731MB
stats.tcp.memuse:6.34Gb
stats.tcp.reassembly_memuse: from 20 40 to 160GB (so confuesd here that it will eat memory as more as i offerd while other data keeps same)

commandline is simple : suricata -c /usr/bin/suricata.yaml --pfring

I’ll type more of them if there is other config key you interested in and helpful. Thanks

Andreas_Herz · August 8, 2024, 7:36am

At least add the suricata.log which should not contain any sensitive data.

You could also test with af-packet instead of pfring and see if there is a difference.

Do you have a plot over the time for the different stats?

Topic		Replies	Views
Suspected memleak in Suricata 6.0.3 Help	5	1025	April 7, 2022
Looking for memcap tuning resources Help suricata	1	661	December 31, 2022
Minimum number of flow to hit reassembly memcap in worst case Help suricata	0	284	March 6, 2023
Suricata memory usage has been increasing Help community	13	2993	January 6, 2022
Help Increasing Flow Memcap Help suricata	1	146	July 31, 2024

Question on tcpreassembly-memuse

Related topics