[Oisf-users] problem with suricata3 stats logs

erik clark philosnef at gmail.com
Thu Nov 17 12:32:37 UTC 2016 

Aha! Excellent. Yes, I see that it is spawning AF_PACKET properly in the
-vv output to console. The only engry in suricata.log that might be
relevant though is "All AFP capture threads are running.". If this is
supposed to mean AF_PACKET, could we get that clarified in a future
release?

PF_RING shows up properly with -vv, but apparently not without it.

On Wed, Nov 16, 2016 at 2:07 PM, Andreas Moe <moe.andreas at gmail.com> wrote:

> Have you tried increasing the verbosity of the logging? add "-vv" as a
> commandline flag when you run Suricata.
>
> ons. 16. nov. 2016 kl. 20.05 skrev erik clark <philosnef at gmail.com>:
>
>> I am specifying it at run time. My suricata.log has nothing indicating
>> method of acquisition... wether I use afpacket or pfring. All I have, other
>> than the startup message, is an event message indicating that all packet
>> processing threads, management threads initialized,, engine started.
>>
>> On Wed, Nov 16, 2016 at 2:00 PM, Andreas Moe <moe.andreas at gmail.com>
>> wrote:
>>
>> I know that it was previously in the stats.log, but that has been
>> changed, to make a more uniform logging format, for many different reasons.
>> But, what i was trying to convey, was that in the suricata application log,
>> it should indicate what kind of packet acquisition method is being
>> utilized. AKA, the suricata.log should say if either AF-PACKET or PF_RING
>> is being used. But then again, why are you not specifiing this when
>> starting Suricata? You cannot use them at the same time.
>>
>> ons. 16. nov. 2016 kl. 19.55 skrev erik clark <philosnef at gmail.com>:
>>
>> No. Previously this was in stats.log. Right now I have zero ways of
>> telling if pf_ring or af_packet is being properly used. :)
>>
>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>>
>>
>> capture.kernel_packets    | AFPacketeth315            | 1436331302
>> capture.kernel_drops      | AFPacketeth315            | 0
>> capture.kernel_packets    | AFPacketeth316            | 1449320230
>> capture.kernel_drops      | AFPacketeth316            | 0
>>
>>
>> On Wed, Nov 16, 2016 at 1:51 PM, Andreas Moe <moe.andreas at gmail.com>
>> wrote:
>>
>> Shouldnt suricata logging (suricata.log if enabled, and not sure of what
>> verbose level needed) indicate what acquisition method is used?
>>
>> Den ons. 16. nov. 2016, 19:45 skrev erik clark <philosnef at gmail.com>:
>>
>> Ok, so I can't tell if either pfring or afpacket is actually being used
>> by suricata. Previous versions of suricata had AFPacket in the stats.log
>> indicating one or the other is loaded. Now, all it says:
>>
>> (stat) | W#12-em3 | (value)
>>
>> How can I tell that either afpacket or pfring is _actually_ being used as
>> expected, when nothing in the stats.log file indicates that this is the
>> case? Thanks!
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://suricon.net
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161117/2a98ae8c/attachment-0002.html>

More information about the Oisf-users mailing list