<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div dir="ltr" id="yui_3_16_0_1_1412796524544_3110"><span id="yui_3_16_0_1_1412796524544_3109">Will the use of BPF filters affect this?  We are using PF_RING.  </span></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, October 8, 2014 2:32 PM, Cooper F. Nelson <cnelson@ucsd.edu> wrote:<br> </font> </div>  <br><br> <div class="y_msg_container">-----BEGIN PGP SIGNED MESSAGE-----<br clear="none">Hash: SHA1<br clear="none"><br clear="none">These stats refer to packets processed/dropped by the kernel prior to<br clear="none">being passed to suricata for processing.  Packets will be dropped before<br clear="none">processing them, so indeed the drops can be higher.<br clear="none"><br clear="none">If you are dropping lots of packets in kernel space, it means you are<br clear="none">either trying to processes too many packets per thread, or your kernel<br clear="none">packet buffers are too small.<br clear="none"><br clear="none">- -Coop<br clear="none"><div class="yqt5672306945" id="yqtfd45652"><br clear="none">On 10/8/2014 8:26 AM, Charles DeVoe wrote:<br clear="none">> in the stats file there are 2 values of<br clear="none">> interest, capture.kernel_packets, capture.kernel_drops.  <br clear="none">> <br clear="none">> I believe that capture.kernel_packets would be the total number of<br clear="none">> packets for each thread,  capture.kernel_drops would be the number<br clear="none">> of capture.kernel_packets dropped.  Hence capture.kernel_packets should<br clear="none">> always be greater than capture.kernel_drops.  However, this does not<br clear="none">> appear to be the case.  We have many instances where the number<br clear="none">> of capture.kernel_packets is less than capture.kernel_drops.  Indicating<br clear="none">> we are dropping more packets than we receive.  <br clear="none">> <br clear="none">> The question here is what are these two values and how are they derived?</div><br clear="none">> <br clear="none">> <br clear="none">> _______________________________________________<br clear="none">> Suricata IDS Users mailing list: <a shape="rect" ymailto="mailto:oisf-users@openinfosecfoundation.org" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br clear="none">> Site: <a shape="rect" href="http://suricata-ids.org/" target="_blank">http://suricata-ids.org </a>| Support: <a shape="rect" href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br clear="none">> List: <a shape="rect" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br clear="none">> Training now available: <a shape="rect" href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br clear="none">> <br clear="none"><br clear="none"><br clear="none">- -- <br clear="none">Cooper Nelson<br clear="none">Network Security Analyst<br clear="none">UCSD ACT Security Team<br clear="none"><a shape="rect" ymailto="mailto:cnelson@ucsd.edu" href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042<br clear="none">-----BEGIN PGP SIGNATURE-----<br clear="none">Version: GnuPG v2.0.17 (MingW32)<br clear="none"><br clear="none">iQEcBAEBAgAGBQJUNYM/AAoJEKIFRYQsa8FWFrMIAJG1bC4IzYTsw+93x4ZOLrh9<br clear="none">ZbM5tgfgIWZoU1Owwi+i8rfJYpKka23c7v7ODxbeKAlXY8gT8mBNLjPVJkaOLWrr<br clear="none">CANpcw+5pGzUlIjGhdvoQmlbejjoE7BVdAxo6lJWnskpAcolaU0ECq+DHN9g9SQA<br clear="none">F0oasIPtT9egmtC0+W2M4C6sy1TuayhmChuX0TVqOOUWoUpLpX7J/DcjluBwZOVT<br clear="none">bR8ooqvv8UcEWaqTDReZUhDaLVTxukaISgCWO/aw5Wj43Hc+w+jWMwAvB4jYRuRE<br clear="none">0GtQ0vgNJf+olKKPx/xSru4V5nswAuW0MViH7A3f4AcL+tDf+6eXlORFwpAccI8=<br clear="none">=nWUD<br clear="none">-----END PGP SIGNATURE-----<div class="yqt5672306945" id="yqtfd65323"><br clear="none"></div><br><br></div>  </div> </div>  </div> </div></body></html>