[Oisf-users] problem with suricata3 stats logs

Andreas Moe moe.andreas at gmail.com
Wed Nov 16 19:00:19 UTC 2016


I know that it was previously in the stats.log, but that has been changed,
to make a more uniform logging format, for many different reasons. But,
what i was trying to convey, was that in the suricata application log, it
should indicate what kind of packet acquisition method is being utilized.
AKA, the suricata.log should say if either AF-PACKET or PF_RING is being
used. But then again, why are you not specifiing this when starting
Suricata? You cannot use them at the same time.

ons. 16. nov. 2016 kl. 19.55 skrev erik clark <philosnef at gmail.com>:

> No. Previously this was in stats.log. Right now I have zero ways of
> telling if pf_ring or af_packet is being properly used. :)
>
> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>
>
> capture.kernel_packets    | AFPacketeth315            | 1436331302
> capture.kernel_drops      | AFPacketeth315            | 0
> capture.kernel_packets    | AFPacketeth316            | 1449320230
> capture.kernel_drops      | AFPacketeth316            | 0
>
>
> On Wed, Nov 16, 2016 at 1:51 PM, Andreas Moe <moe.andreas at gmail.com>
> wrote:
>
> Shouldnt suricata logging (suricata.log if enabled, and not sure of what
> verbose level needed) indicate what acquisition method is used?
>
> Den ons. 16. nov. 2016, 19:45 skrev erik clark <philosnef at gmail.com>:
>
> Ok, so I can't tell if either pfring or afpacket is actually being used by
> suricata. Previous versions of suricata had AFPacket in the stats.log
> indicating one or the other is loaded. Now, all it says:
>
> (stat) | W#12-em3 | (value)
>
> How can I tell that either afpacket or pfring is _actually_ being used as
> expected, when nothing in the stats.log file indicates that this is the
> case? Thanks!
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://suricon.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161116/dc077a0e/attachment-0002.html>


More information about the Oisf-users mailing list