[Oisf-users] decoder.invalid count

Spransy, Derek dsprans at emory.edu
Mon Nov 23 15:30:03 UTC 2015


Hello all,


I'm troubleshooting a very high decoder.invalid count on my sensor; nearly 35%. My kernel drop count is less than 1% and we seem to be generating about the number of alerts that I would expect. I'm not able to find much in the way of documentation that explains what may lead to a packet being marked as invalid in Suricata. The only thing I've found so far is advice to make sure that the interface MTU and Suricata.yaml MTU settings match (which they do) and ensure that the MTU is large enough for packets being seen on that interface (it is). I even tried to increase the MTU to 9026 without any difference. Can anyone point me in the direction of other factors that could be at work here?


Thanks

________________________________

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151123/db5ceb83/attachment.html>


More information about the Oisf-users mailing list