[Oisf-users] Losing a lot packets when suricata runs without detection modules
Victor Julien
lists at inliniac.net
Wed Dec 10 10:45:55 UTC 2014
On 12/10/2014 11:33 AM, C. L. Martinez wrote:
> I am doing some tests running suricata without detection modules to
> capture packets under FreeBSD 10.1 host.
>
> To do these tests I am using 2.1beta2 and 2.0.4, and results are the
> same: I loose between 65% and 90% of packets.
>
> Current suricata.yaml used for both releases:
>
> %YAML 1.1
> ---
>
[snip]
> - pcap-log:
> enabled: yes
> filename: snort.log
> limit: 2gb
> mode: sguil
> sguil-base-dir: /nsm/idpsuripcap01
> use-stream-depth: no
Pcap logging in the 'sguil' mode is not very efficient. 2.1 includes a
'multi' mode but that won't work with sguil directly.
> pcap:
> - interface: vtnet4
> #buffer-size: 4mb
> #checksum-checks: auto
> threads: 2
Unless you have a special libpcap using 2 threads will result in getting
the same packets twice.
> This is a 1GiB network.
Do you mean gigabit instead?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list