[Oisf-users] problem with suricata3 stats logs

Peter Manev petermanev at gmail.com
Thu Nov 17 14:08:02 UTC 2016 

On Thu, Nov 17, 2016 at 1:32 PM, erik clark <philosnef at gmail.com> wrote:
> Aha! Excellent. Yes, I see that it is spawning AF_PACKET properly in the -vv
> output to console. The only engry in suricata.log that might be relevant
> though is "All AFP capture threads are running.". If this is supposed to
> mean AF_PACKET, could we get that clarified in a future release?
>

if you increase the verbosity even further -> -vvv
you should see something like this:

[20603] 17/11/2016 -- 15:06:46 - (source-af-packet.c:1589) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=13 frame_size=1600 frame_nr=260
[20604] 17/11/2016 -- 15:06:46 - (source-af-packet.c:1589) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=13 frame_size=1600 frame_nr=260
[20605] 17/11/2016 -- 15:06:46 - (source-af-packet.c:1589) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=13 frame_size=1600 frame_nr=260
[20606] 17/11/2016 -- 15:06:46 - (source-af-packet.c:1589) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=13 frame_size=1600 frame_nr=260
[20607] 17/11/2016 -- 15:06:46 - (source-af-packet.c:1589) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=13 frame_size=1600 frame_nr=260
[20608] 17/11/2016 -- 15:06:46 - (source-af-packet.c:1589) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=13 frame_size=1600 frame_nr=260
[20609] 17/11/2016 -- 15:06:46 - (source-af-packet.c:1589) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=13 frame_size=1600 frame_nr=260
[20610] 17/11/2016 -- 15:06:46 - (source-af-packet.c:1589) <Perf>
(AFPComputeRingParams) -- AF_PACKET RX Ring params: block_size=32768
block_nr=13 frame_size=1600 frame_nr=260
[20610] 17/11/2016 -- 15:06:46 - (source-af-packet.c:476) <Info>
(AFPPeersListReachedInc) -- All AFP capture threads are running.


> PF_RING shows up properly with -vv, but apparently not without it.
>
> On Wed, Nov 16, 2016 at 2:07 PM, Andreas Moe <moe.andreas at gmail.com> wrote:
>>
>> Have you tried increasing the verbosity of the logging? add "-vv" as a
>> commandline flag when you run Suricata.
>>
>> ons. 16. nov. 2016 kl. 20.05 skrev erik clark <philosnef at gmail.com>:
>>>
>>> I am specifying it at run time. My suricata.log has nothing indicating
>>> method of acquisition... wether I use afpacket or pfring. All I have, other
>>> than the startup message, is an event message indicating that all packet
>>> processing threads, management threads initialized,, engine started.
>>>
>>> On Wed, Nov 16, 2016 at 2:00 PM, Andreas Moe <moe.andreas at gmail.com>
>>> wrote:
>>>>
>>>> I know that it was previously in the stats.log, but that has been
>>>> changed, to make a more uniform logging format, for many different reasons.
>>>> But, what i was trying to convey, was that in the suricata application log,
>>>> it should indicate what kind of packet acquisition method is being utilized.
>>>> AKA, the suricata.log should say if either AF-PACKET or PF_RING is being
>>>> used. But then again, why are you not specifiing this when starting
>>>> Suricata? You cannot use them at the same time.
>>>>
>>>> ons. 16. nov. 2016 kl. 19.55 skrev erik clark <philosnef at gmail.com>:
>>>>>
>>>>> No. Previously this was in stats.log. Right now I have zero ways of
>>>>> telling if pf_ring or af_packet is being properly used. :)
>>>>>
>>>>> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>>>>>
>>>>>
>>>>> capture.kernel_packets    | AFPacketeth315            | 1436331302
>>>>> capture.kernel_drops      | AFPacketeth315            | 0
>>>>> capture.kernel_packets    | AFPacketeth316            | 1449320230
>>>>> capture.kernel_drops      | AFPacketeth316            | 0
>>>>>
>>>>>
>>>>> On Wed, Nov 16, 2016 at 1:51 PM, Andreas Moe <moe.andreas at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Shouldnt suricata logging (suricata.log if enabled, and not sure of
>>>>>> what verbose level needed) indicate what acquisition method is used?
>>>>>>
>>>>>>
>>>>>> Den ons. 16. nov. 2016, 19:45 skrev erik clark <philosnef at gmail.com>:
>>>>>>>
>>>>>>> Ok, so I can't tell if either pfring or afpacket is actually being
>>>>>>> used by suricata. Previous versions of suricata had AFPacket in the
>>>>>>> stats.log indicating one or the other is loaded. Now, all it says:
>>>>>>>
>>>>>>> (stat) | W#12-em3 | (value)
>>>>>>>
>>>>>>> How can I tell that either afpacket or pfring is _actually_ being
>>>>>>> used as expected, when nothing in the stats.log file indicates that this is
>>>>>>> the case? Thanks!
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>>>>> Site: http://suricata-ids.org | Support:
>>>>>>> http://suricata-ids.org/support/
>>>>>>> List:
>>>>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>>> Suricata User Conference November 9-11 in Washington, DC:
>>>>>>> http://suricon.net
>>>>>
>>>>>
>>>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list