TCP.reassembly_gap without packet loss

noob_17 · July 18, 2022, 4:51pm

Hi,

I’ve been read that tcp.reassembly_gap is associated with kernel_drops, although in my setup i have a large number of tcp.reassembly_gap and no packet loss. I can´t get the number of reassembly gap to descrease to 0 (or near that).

I need help to understand what the tcp.reassembly_gap means and what optimization can be done in order to improve this values. Thank you!

capture.kernel_packets                        | Total                     | 686412359
capture.kernel_drops                          | Total                     | 0
tcp.reassembly_gap                            | Total                     | 1106476

IDSTower · July 18, 2022, 8:12pm

It could be that you don’t have kernel drops but there still reassmbly gaps because the drops happened before (eg: span port)

Remember, the kernel drops are counted against what actually reaches the suricata hosts.

Topic		Replies	Views
Tcp.reassembly_gap number hundreds of millions, how to go to solve Help suricata	1	322	February 27, 2023
TCP_reassembly_gaps	1	534	March 6, 2021
Drop stats explanation Help	1	502	January 26, 2022
Understanding stats.log to analyze upstream packet loss Help	1	179	July 31, 2024
High number kernel_drops again Help	8	942	January 24, 2021

TCP.reassembly_gap without packet loss

Related topics