Project

General

Profile

Actions
Copy link

Documentation #5267

closed
SD PA

Meaning of insert_list_fail counter

Documentation #5267: Meaning of insert_list_fail counter

Added by Sachin Desai almost 4 years ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello,

Thanks for such a great product.

We would like to understand the reason behind the "insert_list_fail" counter. I see it incrementing in our VXLAN setup during reassembly. But documentation doesnt mention anywhere as to what is this meant to indicate and possible guidance on this.

   "tcp":{
      "sessions":46103,
      "ssn_memcap_drop":0,
      "pseudo":0,
      "pseudo_failed":0,
      "invalid_checksum":20,
      "no_flow":0,
      "syn":48357,
      "synack":59814,
      "rst":36695,
      "midstream_pickups":23,
      "pkt_on_wrong_thread":0,
      "segment_memcap_drop":0,
      "stream_depth_reached":0,
      "reassembly_gap":187,
      "overlap":8871,
      "overlap_diff_data":0,
      "insert_data_normal_fail":0,
      "insert_data_overlap_fail":0,
*      "insert_list_fail":1045,  <<<<<<<<<<<<
      "memuse":1212416,
      "reassembly_memuse":1212416
   }

VJ Updated by Victor Julien almost 4 years ago Actions
Copy link
 #1

  • Description updated (diff)

VJ Updated by Victor Julien almost 4 years ago Actions
Copy link
 #2

These are spurious retransmissions. We will classify a packet as such if it is a data packet that is entirely before our last_ack or base_seq. base_seq is the sequence number of where our window or reassembled data starts. It can only go up, so anything before it is considered invalid.

I'm working on some code to change the handling of those, see:

https://github.com/OISF/suricata/pull/7166/commits/44e6ae711b8fc0357226903f500fcf1514bba0e0
https://github.com/OISF/suricata/pull/7166/commits/8bf5ed3567288dc481a53fcd2b88c86ab7b51689

SD Updated by Sachin Desai almost 4 years ago Actions
Copy link
 #3

Thanks a ton for the quick response. This helps.

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #4

  • Status changed from In Progress to New

PA Updated by Philippe Antoine 2 months ago Actions
Copy link
 #5

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 9.0.0-beta1

https://github.com/OISF/suricata/pull/14736

insert_list_fail is obsolete and no longer generated in main branch for 9
So removing it from json schema

Also jq '.. | keys? | .[]' etc/schema.json | sort | uniq | grep '"' | cut -d'"' -f2 | while read i; do echo -n $i; git grep $i | wc -l; done | awk '$2 == 1' finds other

PA Updated by Philippe Antoine 2 months ago Actions
Copy link
 #6

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: PDF Atom