Documentation #5267
openMeaning of insert_list_fail counter
Description
Hello,
Thanks for such a great product.
We would like to understand the reason behind the "insert_list_fail" counter. I see it incrementing in our VXLAN setup during reassembly. But documentation doesnt mention anywhere as to what is this meant to indicate and possible guidance on this.
"tcp":{
"sessions":46103,
"ssn_memcap_drop":0,
"pseudo":0,
"pseudo_failed":0,
"invalid_checksum":20,
"no_flow":0,
"syn":48357,
"synack":59814,
"rst":36695,
"midstream_pickups":23,
"pkt_on_wrong_thread":0,
"segment_memcap_drop":0,
"stream_depth_reached":0,
"reassembly_gap":187,
"overlap":8871,
"overlap_diff_data":0,
"insert_data_normal_fail":0,
"insert_data_overlap_fail":0,
* "insert_list_fail":1045, <<<<<<<<<<<<
"memuse":1212416,
"reassembly_memuse":1212416
}
Updated by Victor Julien about 2 years ago
These are spurious retransmissions. We will classify a packet as such if it is a data packet that is entirely before our last_ack or base_seq. base_seq is the sequence number of where our window or reassembled data starts. It can only go up, so anything before it is considered invalid.
I'm working on some code to change the handling of those, see:
https://github.com/OISF/suricata/pull/7166/commits/44e6ae711b8fc0357226903f500fcf1514bba0e0
https://github.com/OISF/suricata/pull/7166/commits/8bf5ed3567288dc481a53fcd2b88c86ab7b51689
Updated by Sachin Desai about 2 years ago
Thanks a ton for the quick response. This helps.