[Oisf-users] What are capture.kernel_packets, capture.kernel_drops

Russell Fulton r.fulton at auckland.ac.nz
Thu Oct 9 21:38:28 UTC 2014 

On 9/10/2014, at 9:19 am, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Signed PGP part
> Yes, to an extent.
> 
> For example, I make heavy use of BPF filters to sample traffic.  So,
> what I'm doing is informing the kernel to selectively filter packets
> before they are passed to the suricata process.  This prevents the
> suricata process from getting overloaded and dropping even more packets.
> 
> I admit I don't understand this as well as I would like, but I think the
> idea is that the kernel_drops can refer to packets dropped inbound,
> within or outbound re: the kernel process.  Remember, the kernel has
> packet buffers and a drop just means it wasn't able to copy a packet
> into one successfully.
> 
> If PF_RING works like AF_PACKET mode, the bpf filters are processed by
> the kernel prior to being inserted into the ring buffer.

So far as I can see having a bpf filter does not affect kernel_drop count.

with filter:

Date: 10/10/2014 -- 08:46:30 (uptime: 0d, 00h 06m 00s)
capture.kernel_packets    | RxAFP1                    | 17798914
capture.kernel_drops      | RxAFP1                    | 6213574
capture.kernel_packets    | RxAFP2                    | 15635559
capture.kernel_drops      | RxAFP2                    | 4211399
capture.kernel_packets    | RxAFP3                    | 17093676
capture.kernel_drops      | RxAFP3                    | 5095582
capture.kernel_packets    | RxAFP4                    | 16166640
capture.kernel_drops      | RxAFP4                    | 5291705

Without filter

Date: 10/10/2014 -- 08:53:45 (uptime: 0d, 00h 04m 07s)
capture.kernel_packets    | RxAFP1                    | 10539088
capture.kernel_drops      | RxAFP1                    | 5096711
capture.kernel_packets    | RxAFP2                    | 13563486
capture.kernel_drops      | RxAFP2                    | 7856506
capture.kernel_packets    | RxAFP3                    | 12288829
capture.kernel_drops      | RxAFP3                    | 6765784
capture.kernel_packets    | RxAFP4                    | 11435141
capture.kernel_drops      | RxAFP4                    | 6081176

So I am still trying to figure out why drop rate is what it is.

Russell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141009/29ae40f1/attachment.sig>

More information about the Oisf-users mailing list