[Oisf-users] How to discover Dropped packets
Andreas Herz
andi at geekosphere.org
Thu Oct 27 19:37:31 UTC 2016
Hi,
On 27/10/16 at 10:26, Filippo Carletti wrote:
> Hello,
> I can't find documentation on how to debug dropped packets. I'll try
> to explain what I'm observing.
> I'm running Suricata with 0 drop rules, drop.log enabled (and empty),
> but when I stop suricata, I have log lines like these:
>
> Aug 19 18:08:47 nethsecurity7 suricata: 19/8/2016 -- 18:08:47 -
> <Notice> - (RX-Q0) Treated: Pkts 910785, Bytes 841726635, Errors 0
> Aug 19 18:08:47 nethsecurity7 suricata: 19/8/2016 -- 18:08:47 -
> <Notice> - (RX-Q0) Verdict: Accepted 897541, Dropped 13243, Replaced 0
>
> If I look at stats.log I find the same value:
>
> ips.blocked | Total | 13243
There are some cases where you will have dropped packets within
suricata. I had such an issue with nfqueue as well, see:
https://redmine.openinfosecfoundation.org/issues/1749
So what you could start with is to check if you run into the same part
as I did. I added output to make sure that's the section of the code
where my dropped packets ran into.
It would be also helpful if you can reproduce the issue with a dedicated
traffic so we could look into that. I also assume that it's no
load/performance issue?
--
Andreas Herz
More information about the Oisf-users
mailing list