[Oisf-users] problem with suricata3 stats logs

erik clark philosnef at gmail.com
Wed Nov 16 19:05:22 UTC 2016 

I am specifying it at run time. My suricata.log has nothing indicating
method of acquisition... wether I use afpacket or pfring. All I have, other
than the startup message, is an event message indicating that all packet
processing threads, management threads initialized,, engine started.

On Wed, Nov 16, 2016 at 2:00 PM, Andreas Moe <moe.andreas at gmail.com> wrote:

> I know that it was previously in the stats.log, but that has been changed,
> to make a more uniform logging format, for many different reasons. But,
> what i was trying to convey, was that in the suricata application log, it
> should indicate what kind of packet acquisition method is being utilized.
> AKA, the suricata.log should say if either AF-PACKET or PF_RING is being
> used. But then again, why are you not specifiing this when starting
> Suricata? You cannot use them at the same time.
>
> ons. 16. nov. 2016 kl. 19.55 skrev erik clark <philosnef at gmail.com>:
>
>> No. Previously this was in stats.log. Right now I have zero ways of
>> telling if pf_ring or af_packet is being properly used. :)
>>
>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>>
>>
>> capture.kernel_packets    | AFPacketeth315            | 1436331302
>> capture.kernel_drops      | AFPacketeth315            | 0
>> capture.kernel_packets    | AFPacketeth316            | 1449320230
>> capture.kernel_drops      | AFPacketeth316            | 0
>>
>>
>> On Wed, Nov 16, 2016 at 1:51 PM, Andreas Moe <moe.andreas at gmail.com>
>> wrote:
>>
>> Shouldnt suricata logging (suricata.log if enabled, and not sure of what
>> verbose level needed) indicate what acquisition method is used?
>>
>> Den ons. 16. nov. 2016, 19:45 skrev erik clark <philosnef at gmail.com>:
>>
>> Ok, so I can't tell if either pfring or afpacket is actually being used
>> by suricata. Previous versions of suricata had AFPacket in the stats.log
>> indicating one or the other is loaded. Now, all it says:
>>
>> (stat) | W#12-em3 | (value)
>>
>> How can I tell that either afpacket or pfring is _actually_ being used as
>> expected, when nothing in the stats.log file indicates that this is the
>> case? Thanks!
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://suricon.net
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161116/9d5fcfc8/attachment-0002.html>

More information about the Oisf-users mailing list