Documentation #5267: Meaning of insert_list_fail counter - Suricata - Open Information Security Foundation

Actions

Copy link

Documentation #5267

open

Meaning of insert_list_fail counter

Added by Sachin Desai almost 4 years ago. Updated about 12 hours ago.

Status:

In Review

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

9.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hello,

Thanks for such a great product.

We would like to understand the reason behind the "insert_list_fail" counter. I see it incrementing in our VXLAN setup during reassembly. But documentation doesnt mention anywhere as to what is this meant to indicate and possible guidance on this.

   "tcp":{
      "sessions":46103,
      "ssn_memcap_drop":0,
      "pseudo":0,
      "pseudo_failed":0,
      "invalid_checksum":20,
      "no_flow":0,
      "syn":48357,
      "synack":59814,
      "rst":36695,
      "midstream_pickups":23,
      "pkt_on_wrong_thread":0,
      "segment_memcap_drop":0,
      "stream_depth_reached":0,
      "reassembly_gap":187,
      "overlap":8871,
      "overlap_diff_data":0,
      "insert_data_normal_fail":0,
      "insert_data_overlap_fail":0,
*      "insert_list_fail":1045,  <<<<<<<<<<<<
      "memuse":1212416,
      "reassembly_memuse":1212416
   }

Actions

Copy link

Updated by Victor Julien almost 4 years ago

Description updated (diff)

Actions

Copy link

Updated by Victor Julien almost 4 years ago

These are spurious retransmissions. We will classify a packet as such if it is a data packet that is entirely before our last_ack or base_seq. base_seq is the sequence number of where our window or reassembled data starts. It can only go up, so anything before it is considered invalid.

I'm working on some code to change the handling of those, see:

https://github.com/OISF/suricata/pull/7166/commits/44e6ae711b8fc0357226903f500fcf1514bba0e0
https://github.com/OISF/suricata/pull/7166/commits/8bf5ed3567288dc481a53fcd2b88c86ab7b51689

Actions

Copy link