[Oisf-users] decoder.invalid count

Andreas Moe moe.andreas at gmail.com
Mon Nov 23 15:35:14 UTC 2015

Have you tried performing a tcpdump / tshark capture of the live traffic
alongside the realtime analyzed traffic? 1) Send traffic to Suricata,
collects stats for 30min, 2) At the same time perform dump of network
traffic to disk and analyze to see if the same discrepancies are found
there? With that fullcapture, you could also look into what kind of
protocols the network link is acctualy sending (if this is not 100% known
from before).

Haven't worked with that high MTUs in Suricata before, so dont have any
personal experience to say that that could or could not be an issue.

Someone else might probably have a better answer than this, sorry :)

2015-11-23 16:30 GMT+01:00 Spransy, Derek <dsprans at emory.edu>:

> Hello all,
> I'm troubleshooting a very high decoder.invalid count on my sensor; nearly
> 35%. My kernel drop count is less than 1% and we seem to be generating
> about the number of alerts that I would expect. I'm not able to find much
> in the way of documentation that explains what may lead to a packet being
> marked as invalid in Suricata. The only thing I've found so far is advice
> to make sure that the interface MTU and Suricata.yaml MTU settings match
> (which they do) and ensure that the MTU is large enough for packets being
> seen on that interface (it is). I even tried to increase the MTU to 9026
> without any difference. Can anyone point me in the direction of other
> factors that could be at work here?
> Thanks
> ------------------------------
> This e-mail message (including any attachments) is for the sole use of
> the intended recipient(s) and may contain confidential and privileged
> information. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution
> or copying of this message (including any attachments) is strictly
> prohibited.
> If you have received this message in error, please contact
> the sender by reply e-mail message and destroy all copies of the
> original message (including attachments).
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151123/eeee0bef/attachment-0002.html>

More information about the Oisf-users mailing list