Feature #845
openMemory consumption in stats.log
Description
It will be very helpful if some more stats can be added in the stats.log
May be at the bottom of each update/run - how much memory (in MB if possible) is Suricata using for flow, stream, reassembly and fragmentation.
Or in other words - mirror of the yaml settings for flow, stream, reassembly and fragmentation, but from actual physical memory consumption point of view.
Thank you
Updated by Andreas Herz over 5 years ago
This would be really helpful but would it also increase the load to calculate it each time?
Updated by Peter Manev over 5 years ago
Most of these mem stats are already in :
tcp.memuse | Total | 2240000000 tcp.reassembly_memuse | Total | 384780288 http.memuse | Total | 260882 ftp.memuse | Total | 696 flow.memuse | Total | 7612575672
Updated by Andreas Herz over 5 years ago
So we have still missing:
- dns
- defrag
- host table
- ippair
stream is covered by the tcp ones.
At least this is the list I could come up with based on possible memory settings in the suricata.yaml.
Do you see any others?
Updated by Peter Manev over 5 years ago
For some of those we have memcaps counters(dns for example) so it still helps a bit. Don't see any others for now.
Updated by Philippe Antoine over 1 year ago
- Target version changed from TBD to 8.0.0-beta1
Looking for memcap
in suricata .yaml.in
We have
- ftp : in stats
- http : in stats
- http.byterange : TODO also to put in MemcapCommand in unix socket
- datasets : TODO
- defrag : TODO (only stats, already for socket)
- flow : ok
- stream : ok
- reassembly : TODO (only stats, already for socket)
- host : TODO (only stats, already for socket)
- ippair : TODO (only stats, already for socket)
Updated by Jeff Lucovsky 2 months ago
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Jeff Lucovsky
Updated by Jeff Lucovsky 2 months ago ยท Edited
I've completed the changes to add memcap/memuse/stats per the following. The dataset manipulations are more complicated and warrant a separate ticket because of the UI impact (dataset names are dynamic and the current socket mode handler requires work to accommodate).
value | stats | socket |
---|---|---|
ftp | y | y |
http | y | y |
http.byterange | y | y |
datasets | n | n |
defrag | y | y |
flow | y | y |
stream | y | y |
reassembly | y | y |
host | y | y |
ippair | y | y |
thresholds | n | n |
Updated by Jeff Lucovsky about 2 months ago
- Status changed from In Progress to In Review