Flows keeps two sets of sessions in memory. The first one ("memcache") is of the most recent finished sessions, kept in memory so as to keep as many queries as possible fast.

The second one ("conntrack") is the set of unfinished sessions: packets are still coming in for them. When this fills up, you get these messages in the netsaw2.log file:

LRU removed item from primary session table needs DB update before being overwritten.
This is caused by setting the session cache size too small, increase it.


In addition, sessions are marked "finished" before they're really done. That means that it takes two sessions records to represent what's really only one session, so in the long term can affect performance.

The two sizes, added together, give you the total number of sessions in memory. Multiply by 256 to get an estimate of the amount of RAM needed.