[Oisf-users] Oisf-users Digest, Vol 14, Issue 2
Victor Julien
victor at inliniac.net
Mon Jan 10 09:17:24 UTC 2011
On 01/06/2011 09:49 AM, David Rodrigues wrote:
> Thanks Dave for the explanation. I'll definitively give pf_ring a try.
> However, now that I'm looking more carefully to the output, I see that
> the two lines show different results:
>
> [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:429) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 24902042, bytes
> 14643147733
> [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:437) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:117734236
> Recv:71318162 Drop:46416074 (39.4%).
>
> In the first line, the number of received/total(?) packets is 24902042.
> In the second line the number of packets(?) is completely different:
> 117734236 total and 71318162 received.
>
> Looking into the code, the first line came from tv (ThreadVars) while
> the second line came from data (PcapThreadVars). However I don't
> understand what is the difference between them.
Not completely. The first line was from the threads internal accounting.
It contains the number of packets that Suricata actually read to be
processed.
The second line contains stats that come from the pcap interface. So
thats not a number Suricata keeps.
Have you tried increasing the pcap buffer size with the
--pcap-buffer-size commandline option?
And have you tried increasing the max-pending-packets setting in
suricata.yaml?
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list