[Oisf-users] How to discover Dropped packets
Filippo Carletti
filippo.carletti at gmail.com
Thu Oct 27 08:26:56 UTC 2016
Hello,
I can't find documentation on how to debug dropped packets. I'll try
to explain what I'm observing.
I'm running Suricata with 0 drop rules, drop.log enabled (and empty),
but when I stop suricata, I have log lines like these:
Aug 19 18:08:47 nethsecurity7 suricata: 19/8/2016 -- 18:08:47 -
<Notice> - (RX-Q0) Treated: Pkts 910785, Bytes 841726635, Errors 0
Aug 19 18:08:47 nethsecurity7 suricata: 19/8/2016 -- 18:08:47 -
<Notice> - (RX-Q0) Verdict: Accepted 897541, Dropped 13243, Replaced 0
If I look at stats.log I find the same value:
ips.blocked | Total | 13243
If I add some drop rules, I have them (but only them) logged in drop.log.
Suricata receives traffic from nfqueue on centos 7.
midstream pickup set to true doesn't make any difference.
I double checked my iptables rules, but I can't find potential traffic
partially sent to Suricata.
Do you have any suggestion on how to discover dropped packets?
Thank you.
--
Ciao,
Filippo
More information about the Oisf-users
mailing list