[Oisf-users] What are capture.kernel_packets, capture.kernel_drops

Russell Fulton r.fulton at auckland.ac.nz
Thu Oct 9 23:10:49 UTC 2014 

On 10/10/2014, at 10:44 am, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> Signed PGP part
> Can you share your bpf filter, on or off the list?
> 
> Have you tried worker mode, irqbalance and using all cores as described
> in this guide?
> 
> > https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
> 

Yes, I have but the difference (I suspect) is that I need to run argus and vortex on the same host.

Here is what I get when I use this setup:

Oct 10 11:52:14 secmontst01 suricata: 10/10/2014 -- 11:52:14 - <Notice> - all 32 packet processing threads, 3 management threads initialized, engine started. 

Date: 10/10/2014 -- 12:09:45 (uptime: 0d, 00h 17m 39s)
capture.kernel_packets    | RxAFP1                    | 19010720
capture.kernel_drops      | RxAFP1                    | 4554338
capture.kernel_packets    | RxAFP2                    | 20855771
capture.kernel_drops      | RxAFP2                    | 6538616
capture.kernel_packets    | RxAFP3                    | 20211500
capture.kernel_drops      | RxAFP3                    | 5418031
capture.kernel_packets    | RxAFP4                    | 22586444
capture.kernel_drops      | RxAFP4                    | 8229282
capture.kernel_packets    | RxAFP5                    | 30365638
capture.kernel_drops      | RxAFP5                    | 15239780
capture.kernel_packets    | RxAFP6                    | 20725505
capture.kernel_drops      | RxAFP6                    | 5789617
capture.kernel_packets    | RxAFP7                    | 22004167
capture.kernel_drops      | RxAFP7                    | 7708126
capture.kernel_packets    | RxAFP8                    | 20861213
capture.kernel_drops      | RxAFP8                    | 5999151
capture.kernel_packets    | RxAFP9                    | 19993308
capture.kernel_drops      | RxAFP9                    | 5551356
capture.kernel_packets    | RxAFP10                   | 20493995
capture.kernel_drops      | RxAFP10                   | 5672954
capture.kernel_packets    | RxAFP11                   | 19237837
capture.kernel_drops      | RxAFP11                   | 4745524
capture.kernel_packets    | RxAFP12                   | 18959372
capture.kernel_drops      | RxAFP12                   | 4636839
capture.kernel_packets    | RxAFP13                   | 19265602
capture.kernel_drops      | RxAFP13                   | 4853184
capture.kernel_packets    | RxAFP14                   | 20297222
capture.kernel_drops      | RxAFP14                   | 5709465
capture.kernel_packets    | RxAFP15                   | 20886974
capture.kernel_drops      | RxAFP15                   | 6746690
capture.kernel_packets    | RxAFP16                   | 16575452
capture.kernel_drops      | RxAFP16                   | 3134244

config file will be here for a few days: https://webdropoff.auckland.ac.nz/cgi-bin/pickup/52881b606690eb4041d8f84667a593d6/182886

one minor quirk I noticed when doing tuning is that 

sudo ethtool -n eth3 rx-flow-hash udp4

fails:  Cannot get RX network flow hashing options: Operation not supported

I am using a recent version of the intel ixgbe drivers.

Russell

More information about the Oisf-users mailing list