This adds a counter indicating how many times
the flow max memcap has been reached
Since there is no always a reference to FlowManagerThreadData,
the counter is put in DecodeThreadVars.
Currently when there is no counter increase in one call of FlowGetNew
because we don't have tv or dtv at the time of the call.
The following is a snippet of the generated EVE entry:
"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":
7085248}
dtv->counter_avg_pkt_size = StatsRegisterAvgCounter("decoder.avg_pkt_size", tv);
dtv->counter_max_pkt_size = StatsRegisterMaxCounter("decoder.max_pkt_size", tv);
dtv->counter_erspan = StatsRegisterMaxCounter("decoder.erspan", tv);
+ dtv->counter_flow_memcap = StatsRegisterCounter("flow.memcap", tv);
dtv->counter_defrag_ipv4_fragments =
StatsRegisterCounter("defrag.ipv4.fragments", tv);
uint16_t counter_defrag_ipv6_timeouts;
uint16_t counter_defrag_max_hit;
+ uint16_t counter_flow_memcap;
+
/* thread data for flow logging api: only used at forced
* flow recycle during lookups */
void *output_flow_thread_data;
f = FlowGetUsedFlow(tv, dtv);
if (f == NULL) {
+ /* max memcap reached, so increments the counter */
+ if (tv != NULL && dtv != NULL) {
+ StatsIncr(tv, dtv->counter_flow_memcap);
+ }
+
/* very rare, but we can fail. Just giving up */
return NULL;
}
/* now see if we can alloc a new flow */
f = FlowAlloc();
if (f == NULL) {
+ if (tv != NULL && dtv != NULL) {
+ StatsIncr(tv, dtv->counter_flow_memcap);
+ }
return NULL;
}
projects / thirdparty / suricata.git / commitdiff
