TCP.reassembly_gap without packet loss

Hi,

I’ve been read that tcp.reassembly_gap is associated with kernel_drops, although in my setup i have a large number of tcp.reassembly_gap and no packet loss. I can´t get the number of reassembly gap to descrease to 0 (or near that).

I need help to understand what the tcp.reassembly_gap means and what optimization can be done in order to improve this values. Thank you!

capture.kernel_packets                        | Total                     | 686412359
capture.kernel_drops                          | Total                     | 0
tcp.reassembly_gap                            | Total                     | 1106476

It could be that you don’t have kernel drops but there still reassmbly gaps because the drops happened before (eg: span port)

Remember, the kernel drops are counted against what actually reaches the suricata hosts.