Hello,
I see that reassembly memory for tcp streams are allocated only to prealloc values configured during the startup. And later when the reassembly memory is required Suricata allocates it dynamically and adds it to pool.
In my case I want to allocate most of the memory required by Suricata upfront. Is any method readily available?
I can set the prealloc to memcap/sizeof(tcp_segment)/threads_count but will it restrict the preallocated reassembly memory only to particular thread or will it be in a common pool, so that when one thread is overloaded with tcp flows it can take more memory than allocated to it(provided other threads are underloaded)?
Thanks
Do you mean it can be like spare flow pool ,so that tcp segment pool could dynamic adjust it’s own segment pool size?
what I mean is, today only the value configured in tcp.reassembly.segment-prealloc is allocated during the initialization. When there Suricata runs out of the prealloc’d memory its starts allocating the memory dynamically until the configured tcp.reassembly.memcap is reached.
And then, if my understanding is correct, once the flow is ended, the memory is not freed rather added back to the reassembly pool and used when required.
The issue I have with this is, when Suricata is just started it takes less memory and when traffic starts coming memory increases.
If I want to know how much free memory available in most of the case in my box, I will need to run the max traffic and check.
If the all the required memory(or as much is possible) is allocated during the init itself, it will make things easier for me in measuring the memory.