[Oisf-users] What are capture.kernel_packets, capture.kernel_drops

Cooper F. Nelson cnelson at ucsd.edu
Wed Oct 8 20:19:48 UTC 2014

Hash: SHA1

Yes, to an extent.

For example, I make heavy use of BPF filters to sample traffic.  So,
what I'm doing is informing the kernel to selectively filter packets
before they are passed to the suricata process.  This prevents the
suricata process from getting overloaded and dropping even more packets.

I admit I don't understand this as well as I would like, but I think the
idea is that the kernel_drops can refer to packets dropped inbound,
within or outbound re: the kernel process.  Remember, the kernel has
packet buffers and a drop just means it wasn't able to copy a packet
into one successfully.

If PF_RING works like AF_PACKET mode, the bpf filters are processed by
the kernel prior to being inserted into the ring buffer.

- -Coop

On 10/8/2014 12:30 PM, Charles DeVoe wrote:
> Will the use of BPF filters affect this?  We are using PF_RING.  
> On Wednesday, October 8, 2014 2:32 PM, Cooper F. Nelson
> <cnelson at ucsd.edu> wrote:
> These stats refer to packets processed/dropped by the kernel prior to
> being passed to suricata for processing.  Packets will be dropped before
> processing them, so indeed the drops can be higher.
> If you are dropping lots of packets in kernel space, it means you are
> either trying to processes too many packets per thread, or your kernel
> packet buffers are too small.
> -Coop
> On 10/8/2014 8:26 AM, Charles DeVoe wrote:
>> in the stats file there are 2 values of
>> interest, capture.kernel_packets, capture.kernel_drops. 
>> I believe that capture.kernel_packets would be the total number of
>> packets for each thread,  capture.kernel_drops would be the number
>> of capture.kernel_packets dropped.  Hence capture.kernel_packets should
>> always be greater than capture.kernel_drops.  However, this does not
>> appear to be the case.  We have many instances where the number
>> of capture.kernel_packets is less than capture.kernel_drops.  Indicating
>> we are dropping more packets than we receive. 
>> The question here is what are these two values and how are they derived?
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
>> Site: http://suricata-ids.org <http://suricata-ids.org/>| Support:
> http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list