<div dir="ltr">It seems to change across restarts, below is from stats captures with a number of restarts over a couple of weeks. Stats are being written every 6 minutes.<div><br><div><div><font face="monospace, monospace">$ cat stats.log | grep 'capture.kernel_packets' | grep '| 0$' | uniq -c | egrep -v '[ ^I]+1 capture'</font></div><div><font face="monospace, monospace">    360 capture.kernel_packets    | AFPacketbond01            | 0</font></div><div><font face="monospace, monospace">    200 capture.kernel_packets    | AFPacketbond02            | 0</font></div><div><font face="monospace, monospace">      2 capture.kernel_packets    | AFPacketbond03            | 0</font></div><div><font face="monospace, monospace">     90 capture.kernel_packets    | AFPacketbond04            | 0</font></div><div><font face="monospace, monospace">      3 capture.kernel_packets    | AFPacketbond010           | 0</font></div><div><font face="monospace, monospace">    198 capture.kernel_packets    | AFPacketbond012           | 0</font></div><div><font face="monospace, monospace">    102 capture.kernel_packets    | AFPacketbond01            | 0</font></div><div><font face="monospace, monospace">     55 capture.kernel_packets    | AFPacketbond011           | 0</font></div><div><font face="monospace, monospace">      8 capture.kernel_packets    | AFPacketbond02            | 0</font></div><div><font face="monospace, monospace">      2 capture.kernel_packets    | AFPacketbond02            | 0</font></div><div><font face="monospace, monospace">    175 capture.kernel_packets    | AFPacketbond03            | 0</font></div><div><font face="monospace, monospace">      3 capture.kernel_packets    | AFPacketbond02            | 0</font></div><div><font face="monospace, monospace">      6 capture.kernel_packets    | AFPacketbond03            | 0</font></div><div><font face="monospace, monospace">     23 capture.kernel_packets    | AFPacketbond013           | 0</font></div><div><font face="monospace, monospace">    219 capture.kernel_packets    | AFPacketbond02            | 0</font></div></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 15, 2015 at 5:04 AM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Wed, Oct 14, 2015 at 10:03 PM, Duane Howard <<a href="mailto:duane.security@gmail.com">duane.security@gmail.com</a>> wrote:<br>
>><br>
>><br>
>> What cluster_type(and Suri version) are you using?<br>
><br>
> version: 2.0.8 RELEASE<br>
> cluster-type: cluster_flow<br>
>><br>
>><br>
>> Is this consistent with Suricata's stats.log?<br>
><br>
><br>
> Yes, last two entries from stats.log:<br>
> capture.kernel_packets    | AFPacketbond01            | 1485572868<br>
> capture.kernel_packets    | AFPacketbond02            | 0<br>
> capture.kernel_packets    | AFPacketbond03            | 1377368199<br>
> capture.kernel_packets    | AFPacketbond04            | 1389788072<br>
> capture.kernel_packets    | AFPacketbond05            | 1428569217<br>
> capture.kernel_packets    | AFPacketbond06            | 1920661530<br>
> capture.kernel_packets    | AFPacketbond07            | 1408036528<br>
> capture.kernel_packets    | AFPacketbond08            | 1590766009<br>
> capture.kernel_packets    | AFPacketbond09            | 1494232281<br>
> capture.kernel_packets    | AFPacketbond010           | 1451044916<br>
> capture.kernel_packets    | AFPacketbond011           | 3252054939<br>
> capture.kernel_packets    | AFPacketbond012           | 3118034998<br>
> capture.kernel_packets    | AFPacketbond013           | 1493265432<br>
> capture.kernel_packets    | AFPacketbond014           | 1465651530<br>
> capture.kernel_packets    | AFPacketbond015           | 1513765413<br>
> capture.kernel_packets    | AFPacketbond016           | 1616881473<br>
> capture.kernel_packets    | AFPacketbond01            | 1500290226<br>
> capture.kernel_packets    | AFPacketbond02            | 0<br>
> capture.kernel_packets    | AFPacketbond03            | 1390539219<br>
> capture.kernel_packets    | AFPacketbond04            | 1402401529<br>
> capture.kernel_packets    | AFPacketbond05            | 1441521628<br>
> capture.kernel_packets    | AFPacketbond06            | 1934344963<br>
> capture.kernel_packets    | AFPacketbond07            | 1420926996<br>
> capture.kernel_packets    | AFPacketbond08            | 1604977752<br>
> capture.kernel_packets    | AFPacketbond09            | 1525281819<br>
> capture.kernel_packets    | AFPacketbond010           | 1464552695<br>
> capture.kernel_packets    | AFPacketbond011           | 3269385208<br>
> capture.kernel_packets    | AFPacketbond012           | 3131000528<br>
> capture.kernel_packets    | AFPacketbond013           | 1506020632<br>
> capture.kernel_packets    | AFPacketbond014           | 1477735937<br>
> capture.kernel_packets    | AFPacketbond015           | 1528967614<br>
> capture.kernel_packets    | AFPacketbond016           | 1629456468<br>
><br>
>><br>
>> You can try the latest git and use the rollover option  -<br>
>><br>
>> <a href="https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L451" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L451</a><br>
>> and see if all threads are going to have packets? (you need kernel<br>
>> 3.10 and above).<br>
><br>
> kernel version should be fine, won't have time to test this different mode<br>
> in the short term, but cluster flow seems to be working correctly with the<br>
> exception of this distinct thread?<br>
<br>
</div></div>Is it always this thread or it changes across restarts?<br>
<div class="HOEnZb"><div class="h5"><br>
>><br>
>><br>
>><br>
>> ><br>
>> > ./d<br>
>> ><br>
>> > _______________________________________________<br>
>> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>> > Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support:<br>
>> > <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
>> > List:<br>
>> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> > Suricata User Conference November 4 & 5 in Barcelona:<br>
>> > <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> Regards,<br>
>> Peter Manev<br>
><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div>