Hello, everyone.
This is my first time using Suricata.
My environement is as follows.
OS: Debian 12 (kernel version: 6.1.0-22-amd)
Suricata version: 7.0.6 ( apt install from bookworm-backports repository)
Run option:
- af-packet mode: suricata --af-packet=eno6 -c /etc/suricata/suricata.yaml --runmode workers -vvv
- af-xdp mode: suricata --af-xdp=eno6 -c /etc/suricata/suricata.yaml --runmode workers -vvv
I sent about 37500000 packets (340Mbps) by tcpreplay.
The test results in each mode are as follows.
af-packet mode:
- drops rate: 95% (recorded in suricata.log)
- alerts: 1772961 entries recorded in fast.log
af-xdp mode:
- drops rate: 0.04% (but, not recorded in suricata.log)
- alerts: no entry in fast.log
I have only changed run option and not changed any files (e.g. suricata.yaml).
Why the difference occurred?