[Oisf-users] What are capture.kernel_packets, capture.kernel_drops

Cooper F. Nelson cnelson at ucsd.edu
Wed Oct 8 18:32:31 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

These stats refer to packets processed/dropped by the kernel prior to
being passed to suricata for processing.  Packets will be dropped before
processing them, so indeed the drops can be higher.

If you are dropping lots of packets in kernel space, it means you are
either trying to processes too many packets per thread, or your kernel
packet buffers are too small.

- -Coop

On 10/8/2014 8:26 AM, Charles DeVoe wrote:
> in the stats file there are 2 values of
> interest, capture.kernel_packets, capture.kernel_drops.  
> 
> I believe that capture.kernel_packets would be the total number of
> packets for each thread,  capture.kernel_drops would be the number
> of capture.kernel_packets dropped.  Hence capture.kernel_packets should
> always be greater than capture.kernel_drops.  However, this does not
> appear to be the case.  We have many instances where the number
> of capture.kernel_packets is less than capture.kernel_drops.  Indicating
> we are dropping more packets than we receive.  
> 
> The question here is what are these two values and how are they derived?
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUNYM/AAoJEKIFRYQsa8FWFrMIAJG1bC4IzYTsw+93x4ZOLrh9
ZbM5tgfgIWZoU1Owwi+i8rfJYpKka23c7v7ODxbeKAlXY8gT8mBNLjPVJkaOLWrr
CANpcw+5pGzUlIjGhdvoQmlbejjoE7BVdAxo6lJWnskpAcolaU0ECq+DHN9g9SQA
F0oasIPtT9egmtC0+W2M4C6sy1TuayhmChuX0TVqOOUWoUpLpX7J/DcjluBwZOVT
bR8ooqvv8UcEWaqTDReZUhDaLVTxukaISgCWO/aw5Wj43Hc+w+jWMwAvB4jYRuRE
0GtQ0vgNJf+olKKPx/xSru4V5nswAuW0MViH7A3f4AcL+tDf+6eXlORFwpAccI8=
=nWUD
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list