Why are packets discarded?
search cancel

Why are packets discarded?

book

Article ID: 160393

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

What is a discarded packet, and why is it not always a bad thing?

Environment

DLP 15.8.x and 16.0.x

Resolution

Packets are discarded because there is not enough memory in the system to store the packets until they can be reconstructed. Packet discards occur if there is a very large burst of concurrent messages on the port span or tap that is being monitored.

Packet Capture can generally handle 2,000 messages (connections) or more per second indefinitely. If the traffic increases to 10,000 messages per second for a sustained burst, there might be some discarded packets due to memory constraints. The messages described here may or may not be filtered out later by L7 or for other reasons. Packet capture must keep the packets in memory until it decides whether the packets are relevant or not. This is why 10,000 messages per second do not translate to 10,000 messages processed in the UI.

Another reason for discarded packets is that a large number of monitored messages might be processing very slowly.  Packet capture must hold the messages for reconstruction in memory until the message is completely sent. If the messages it is monitoring are taking minutes to transfer across the net, it may need to hold those messages in memory for a long time. That can also lead packet capture to run out of memory. This sort of situation can be the result of bad network conditions or some servers that are malfunctioning and leaving too many connections in memory for long periods of time.

To understand the Advanced Server settings that are saved on the Monitor, you must understand that packet capture uses fixed numbers of fixed size buffers. This allows packet capture to allocate and release packets very quickly and ensures against program memory overflows. Packet capture divides the packets into three sizes to optimize memory usage. The memory foot print of packet storage is:

(SIZE_SMALL_POOL_PACKETS * NUMBER_SMALL_POOL_PACKETS) + (SIZE_BUFFER_POOL_PACKETS * NUMBER_BUFFER_POOL_PACKETS) + (SIZE_JUMBO_POOL_PACKETS * NUMBER_JUMBO_POOL_PACKETS)

Increasing these values takes up more memory, but accommodates more traffic of a given packet size. Also, the values in each protocol’s settings for "Maximum wait until written" and "maximum wait until dropped" describe how long streams are held to capture stray packets. Those values can be reduced to 1 and 2 respectively to minimize memory use. This results in a slight increase in spurious or corrupted traffic if there is a chance of out of order traffic on the span or tap.

See also:

TECH221445:  Packet Capture Buffer and Memory Usage