[Oisf-users] What does it means??

Wed Oct 9 13:37:34 UTC 2013

On Wed, Oct 9, 2013 at 1:21 PM, Peter Manev <petermanev at gmail.com> wrote:
> On Wed, Oct 9, 2013 at 3:14 PM, C. L. Martinez <carlopmart at gmail.com> wrote:
>> On Wed, Oct 9, 2013 at 1:10 PM, Peter Manev <petermanev at gmail.com> wrote:
>>>>> --
>>>>
>>>> More or less, same numbers using autofp runmode:
>>>>
>>>> -------------------------------------------------------------------
>>>> Date: 10/9/2013 -- 13:05:07 (uptime: 0d, 00h 03m 18s)
>>>> -------------------------------------------------------------------
>>>> Counter                   | TM Name                   | Value
>>>> -------------------------------------------------------------------
>>>> capture.kernel_packets    | RxPcapem41                | 2283902
>>>> capture.kernel_drops      | RxPcapem41                | 1717154
>>>> capture.kernel_ifdrops    | RxPcapem41                | 0
>>>> _______________________________________________
>>>
>>> What is your start line?
>>> Have you tried with just one interface and then gradually add all 5?
>>>
>>
>> I am sniffing only in one interface, not in 5 ...
>
> "I am monitoring a 1 GiB network, an as you can see in my previous post
> host is a dual core, 10 GiB ram and 5 e1000 nics ..."
>
> That mislead me to the five nics :)

Yes, host has 5 nics, but I am sniffing in only one ...

>
>>
>> Command line is:
>>
>> /usr/local/bin/suricata -i em4 -c /data/config/etc/idpsuricata/suricata.yaml -D
>
> Do you have offloading enabled on the nic?

Nop, offloading is disbled:

em4: flags=48943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,MONITOR>
metric 0 mtu 1514
    options=20d8<VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM,WOL_MAGIC>
    ether 52:54:00:44:f9:ee
    inet6 fe80::5054:ff:fe44:f9ee%em4 prefixlen 64 scopeid 0x5
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active

> Do you have TCP checksums enabled in yaml?

Nop, as you suggested some time ago :).