[Oisf-users] What are capture.kernel_packets, capture.kernel_drops

Cooper F. Nelson cnelson at ucsd.edu
Thu Oct 9 21:44:04 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can you share your bpf filter, on or off the list?

Have you tried worker mode, irqbalance and using all cores as described
in this guide?

> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/

- -Coop

On 10/9/2014 2:38 PM, Russell Fulton wrote:
> 
> So far as I can see having a bpf filter does not affect kernel_drop count.
> 
> with filter:
> 
> Date: 10/10/2014 -- 08:46:30 (uptime: 0d, 00h 06m 00s)
> capture.kernel_packets    | RxAFP1                    | 17798914
> capture.kernel_drops      | RxAFP1                    | 6213574
> capture.kernel_packets    | RxAFP2                    | 15635559
> capture.kernel_drops      | RxAFP2                    | 4211399
> capture.kernel_packets    | RxAFP3                    | 17093676
> capture.kernel_drops      | RxAFP3                    | 5095582
> capture.kernel_packets    | RxAFP4                    | 16166640
> capture.kernel_drops      | RxAFP4                    | 5291705
> 
> Without filter
> 
> Date: 10/10/2014 -- 08:53:45 (uptime: 0d, 00h 04m 07s)
> capture.kernel_packets    | RxAFP1                    | 10539088
> capture.kernel_drops      | RxAFP1                    | 5096711
> capture.kernel_packets    | RxAFP2                    | 13563486
> capture.kernel_drops      | RxAFP2                    | 7856506
> capture.kernel_packets    | RxAFP3                    | 12288829
> capture.kernel_drops      | RxAFP3                    | 6765784
> capture.kernel_packets    | RxAFP4                    | 11435141
> capture.kernel_drops      | RxAFP4                    | 6081176
> 
> So I am still trying to figure out why drop rate is what it is.
> 
> Russell
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUNwGkAAoJEKIFRYQsa8FW4AIH/jcwSRIOaHzuuVZGvDDjFqsA
71hAUWkufRIlD6Lz0AfXq/C2vxRMNh3h5ALV/vwgNnsHD5LQhNFf5VSPqDLhjSE6
BjykXuZ2KnQ6Hv7yPjlf0dVG6/9SBvOg1bYhsazv7M8EwBmqvrC7wD/ooUvdXwD1
jMtQwlrWitkvCYKnSlZrynQo4LR1v14TqiZACjruYmGchLd/LYiZFTArrtFKtu0K
gfD7A3XkdcGywnkq2tLT9QoYzTsWBw+01pK6US0exF9ndFkoceMBt1KwQ9ajgyvg
xesI6xKGOW0FrY5fmUGTTtwJWA6w3Yfz7oJXCs1cZ1QtidOO54E/lmGutaw+mHc=
=RJwz
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list