<div dir="ltr">Have you tried performing a tcpdump / tshark capture of the live traffic alongside the realtime analyzed traffic? 1) Send traffic to Suricata, collects stats for 30min, 2) At the same time perform dump of network traffic to disk and analyze to see if the same discrepancies are found there? With that fullcapture, you could also look into what kind of protocols the network link is acctualy sending (if this is not 100% known from before).<div><br></div><div>Haven't worked with that high MTUs in Suricata before, so dont have any personal experience to say that that could or could not be an issue.</div><div><br></div><div>Someone else might probably have a better answer than this, sorry :)</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-11-23 16:30 GMT+01:00 Spransy, Derek <span dir="ltr"><<a href="mailto:dsprans@emory.edu" target="_blank">dsprans@emory.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hello all,</p>
<p><br>
</p>
<p>I'm troubleshooting a very high decoder.invalid count on my sensor; nearly 35%. My kernel drop count is less than 1% and we seem to be generating about the number of alerts that I would expect. I'm not able to find much in the way of documentation that explains
what may lead to a packet being marked as invalid in Suricata. The only thing I've found so far is advice to make sure that the interface MTU and Suricata.yaml MTU settings match (which they do) and ensure that the MTU is large enough for packets being seen
on that interface (it is). I even tried to increase the MTU to 9026 without any difference. Can anyone point me in the direction of other factors that could be at work here?</p>
<p><br>
</p>
<p>Thanks</p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This e-mail message (including any attachments) is for the sole use of<br>
the intended recipient(s) and may contain confidential and privileged<br>
information. If the reader of this message is not the intended<br>
recipient, you are hereby notified that any dissemination, distribution<br>
or copying of this message (including any attachments) is strictly<br>
prohibited.<br>
<br>
If you have received this message in error, please contact<br>
the sender by reply e-mail message and destroy all copies of the<br>
original message (including attachments).<br>
</font>
</div>
<br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a><br></blockquote></div><br></div>