<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">will try to dump a pcap from afpacket mode.<div><br></div><div>Meanwhile just some housekeeping quick checks, I hope I am running suricata with correct cmd line options:</div><div>$ sudo ./suricata -D -c suricata.yaml --af-packet<br></div><div><br></div><div>Also there are many (40) ksoftirqd processes running with 0.0% cpu usage:</div><div><br></div><div><div>$ ps -aux | grep irq</div><div>root 3 0.0 0.0 0 0 ? S Sep07 1:14 [ksoftirqd/0]</div><div>root 15 0.0 0.0 0 0 ? S Sep07 0:00 [ksoftirqd/1]</div><div>root 21 0.0 0.0 0 0 ? S Sep07 0:00 [ksoftirqd/2]</div><div>root 26 0.0 0.0 0 0 ? S Sep07 0:00 [ksoftirqd/3]</div><div>root 31 0.8 0.0 0 0 ? S Sep07 324:11 [ksoftirqd/4]<br></div><div>..............<snipped>............</div><div>root 196 0.0 0.0 0 0 ? S Sep07 0:00 [ksoftirqd/37]</div><div>root 201 0.0 0.0 0 0 ? S Sep07 0:03 [ksoftirqd/38]</div><div>root 206 0.0 0.0 0 0 ? S Sep07 0:00 [ksoftirqd/39]</div><div>root 839 0.0 0.0 0 0 ? S Sep07 0:00 [irq/210-mei_me]</div><div>root 938 0.0 0.0 0 0 ? S< Sep07 0:00 [kvm-irqfd-clean]</div></div><div><br></div><div>I hope this is normal.</div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Oct 5, 2018 at 2:20 PM Michał Purzyński <<a href="mailto:michalpurzynski1@gmail.com">michalpurzynski1@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">How about we make Suricata write us a pcap in afpacket workers mode? I’m pretty sure a rule can do that.<br>
<br>
> On Oct 5, 2018, at 8:17 PM, fatema bannatwala <<a href="mailto:fatema.bannatwala@gmail.com" target="_blank">fatema.bannatwala@gmail.com</a>> wrote:<br>
> <br>
> Changing $HOME_NET to any in sid 2022813 didn't help though, still not getting that alert fired.<br>
> One difference I had in suricata.yaml when running in offline pcap reading mode was, I set runmode to "single", while when suricata runs in packet sniffing mode it's set to "workers".<br>
> <br>
> I tried to set it to "runmode:single" while on interface sniffing mode but was hit by ~60% capture loss, which makes sense as single threaded suricata can't handle the traffic flowing through the interface. <br>
> <br>
> The fact that alerts are fired when in offline single threaded mode and same alerts are not fired when online packet sniffing multi-threaded mode, makes me think it has to do with multi-threading vs single threaded mode and how "workers" are capturing packets.<br>
> <br>
> I will keep looking.<br>
> <br>
> (The good thing is that Interrupt/IRQ pinning has helped to reduce capture loss to 0%)<br>
> <br>
> Thanks,<br>
> Fatema <br>
> <br>
> <br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> <br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><br>
</blockquote></div>