Please include the following information with your help request:
Suricata version stable-22.11.2
ubuntu 22.04
compiled with dpdk support
I am reporting stats every second for suricata and I am seeing that there are certain seconds that I get no updates in the suricata stats. I have changed the settings for suricata to report each second, instead of every 8 seconds. I think that causes some peaks in the following bytes which leads to higher max bandwidth value (thing that is not really happening).
I am focussing in the Decoder.Bytes field to calculate the bandwidth. In the second image the number of packets is what is being plotted.
Which metric should I use to calculate suricata bandwidth?
I’ll also answer Best way to get bandwitdth in suricata? as these two almost seem like a duplicate.
I think you are on the right track - decoder.bytes can be used to calculate the bandwidth that your Suricata instance is actually able to process.
To calculate bandwidth that is currently coming to your NIC directly - for that I would probably use ethtool stats. Unfortunately, I am not aware that Suricata could calculate directly in some stats output.
I feel like generally, users observe these stats when Suricata is connected to an SIEM of some kind - e.g. ELK. To have it directly in Suricata stats I guess it could be a nice beginner-friendly contribution to the stats.
