[Oisf-users] hardware timestamping with af-packet/suricata

[jason taylor]

After talking with Victor a little bit at the conference he suggested
seeing what others have to say.

In our environment we recently discovered an issue related to hardware
timestamping. 

After a period of time post NIC driver load, we will see a drift
forward and/or back in time. The forward or back is depedant on the
frequency of the chip on the NIC. In our case we have 10g and 40g cards
we see the issue with. This results in our suricata alerts being
stamped with the errant time since suricata/af-packet uses hardware
timestamping if it's available.

Looking into possible solutions while waiting on a response from the
vendor I noted that netsniff-ng also by default uses hardware
timestamping but added a --no-hwtimestamp runtime option to account for
situations where hardware timestamping is buggy or what have you.

While realizing this isn't a suricata issue, (we should have chosen our
hardware a bit more carefully). Aside from hardware/driver issues are
there other situations where one might want to disable hardware
timestamping at runtime (.e.g. --no-hwtimestamp) in suricata? Is this
something that would be worth adding as a configuration option in
suricata?

TIA,

JT