<div dir="ltr">No. Previously this was in stats.log. Right now I have zero ways of telling if pf_ring or af_packet is being properly used. :)<div><br></div><div><a href="https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/">https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/</a><br></div><div><br></div><div><br></div><div><pre class="gmail-literal-block" style="margin-top:1.5em;margin-bottom:1.5em;padding:1em;border:1px solid rgb(221,221,221);outline:0px;font-size:13.92px;font-family:"courier new",courier,monaco,"lucida console",monospace;overflow:auto;background-color:rgb(247,247,247);line-height:1.5em;border-radius:5px;color:rgb(0,0,0)">capture.kernel_packets | AFPacketeth315 | 1436331302
capture.kernel_drops | AFPacketeth315 | 0
capture.kernel_packets | AFPacketeth316 | 1449320230
capture.kernel_drops | AFPacketeth316 | 0</pre></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 16, 2016 at 1:51 PM, Andreas Moe <span dir="ltr"><<a href="mailto:moe.andreas@gmail.com" target="_blank">moe.andreas@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Shouldnt suricata logging (suricata.log if enabled, and not sure of what verbose level needed) indicate what acquisition method is used?</p>
<br><div class="gmail_quote"><div><div class="h5"><div dir="ltr">Den ons. 16. nov. 2016, 19:45 skrev erik clark <<a href="mailto:philosnef@gmail.com" target="_blank">philosnef@gmail.com</a>>:<br></div></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr" class="m_-5861063854257505270gmail_msg">Ok, so I can't tell if either pfring or afpacket is actually being used by suricata. Previous versions of suricata had AFPacket in the stats.log indicating one or the other is loaded. Now, all it says:<div class="m_-5861063854257505270gmail_msg"><br class="m_-5861063854257505270gmail_msg"></div><div class="m_-5861063854257505270gmail_msg">(stat) | W#12-em3 | (value)</div><div class="m_-5861063854257505270gmail_msg"><br class="m_-5861063854257505270gmail_msg"></div><div class="m_-5861063854257505270gmail_msg">How can I tell that either afpacket or pfring is _actually_ being used as expected, when nothing in the stats.log file indicates that this is the case? Thanks!</div><div class="m_-5861063854257505270gmail_msg"><br class="m_-5861063854257505270gmail_msg"></div></div></div></div>
______________________________<wbr>_________________<br class="m_-5861063854257505270gmail_msg">
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" class="m_-5861063854257505270gmail_msg" target="_blank">oisf-users@<wbr>openinfosecfoundation.org</a><br class="m_-5861063854257505270gmail_msg">
Site: <a href="http://suricata-ids.org" rel="noreferrer" class="m_-5861063854257505270gmail_msg" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" class="m_-5861063854257505270gmail_msg" target="_blank">http://suricata-ids.org/<wbr>support/</a><br class="m_-5861063854257505270gmail_msg">
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" class="m_-5861063854257505270gmail_msg" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br class="m_-5861063854257505270gmail_msg">
Suricata User Conference November 9-11 in Washington, DC: <a href="http://suricon.net" rel="noreferrer" class="m_-5861063854257505270gmail_msg" target="_blank">http://suricon.net</a></blockquote></div>
</blockquote></div><br></div>