<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><br>
<br>
</span>What cluster_type(and Suri version) are you using?</blockquote>version: 2.0.8 RELEASE<br><div>cluster-type: cluster_flow </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div class="h5"><br>
</div></div>Is this consistent with Suricata's stats.log?<br></blockquote><div><br></div><div><b>Yes, last two entries from stats.log:</b></div><div>capture.kernel_packets    | AFPacketbond01            | 1485572868</div><div><b>capture.kernel_packets    | AFPacketbond02            | 0</b></div><div>capture.kernel_packets    | AFPacketbond03            | 1377368199</div><div>capture.kernel_packets    | AFPacketbond04            | 1389788072</div><div>capture.kernel_packets    | AFPacketbond05            | 1428569217</div><div>capture.kernel_packets    | AFPacketbond06            | 1920661530</div><div>capture.kernel_packets    | AFPacketbond07            | 1408036528</div><div>capture.kernel_packets    | AFPacketbond08            | 1590766009</div><div>capture.kernel_packets    | AFPacketbond09            | 1494232281</div><div>capture.kernel_packets    | AFPacketbond010           | 1451044916</div><div>capture.kernel_packets    | AFPacketbond011           | 3252054939</div><div>capture.kernel_packets    | AFPacketbond012           | 3118034998</div><div>capture.kernel_packets    | AFPacketbond013           | 1493265432</div><div>capture.kernel_packets    | AFPacketbond014           | 1465651530</div><div>capture.kernel_packets    | AFPacketbond015           | 1513765413</div><div>capture.kernel_packets    | AFPacketbond016           | 1616881473</div><div>capture.kernel_packets    | AFPacketbond01            | 1500290226</div><div><b>capture.kernel_packets    | AFPacketbond02            | 0</b></div><div>capture.kernel_packets    | AFPacketbond03            | 1390539219</div><div>capture.kernel_packets    | AFPacketbond04            | 1402401529</div><div>capture.kernel_packets    | AFPacketbond05            | 1441521628</div><div>capture.kernel_packets    | AFPacketbond06            | 1934344963</div><div>capture.kernel_packets    | AFPacketbond07            | 1420926996</div><div>capture.kernel_packets    | AFPacketbond08            | 1604977752</div><div>capture.kernel_packets    | AFPacketbond09            | 1525281819</div><div>capture.kernel_packets    | AFPacketbond010           | 1464552695</div><div>capture.kernel_packets    | AFPacketbond011           | 3269385208</div><div>capture.kernel_packets    | AFPacketbond012           | 3131000528</div><div>capture.kernel_packets    | AFPacketbond013           | 1506020632</div><div>capture.kernel_packets    | AFPacketbond014           | 1477735937</div><div>capture.kernel_packets    | AFPacketbond015           | 1528967614</div><div>capture.kernel_packets    | AFPacketbond016           | 1629456468</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">You can try the latest git and use the rollover option  -<br>
<a href="https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L451" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L451</a><br>
and see if all threads are going to have packets? (you need kernel<br>
3.10 and above).<br></blockquote><div>kernel version should be fine, won't have time to test this different mode in the short term, but cluster flow seems to be working correctly with the exception of this distinct thread? </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
<br>
><br>
> ./d<br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
<span class=""><font color="#888888"><br>
<br>
<br>
--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div></div>