Difference between af-packet mode and af-xdp mode

Hello, everyone.
This is my first time using Suricata.
My environement is as follows.

OS: Debian 12 (kernel version: 6.1.0-22-amd)
Suricata version: 7.0.6 ( apt install from bookworm-backports repository)
Run option:

  • af-packet mode: suricata --af-packet=eno6 -c /etc/suricata/suricata.yaml --runmode workers -vvv
  • af-xdp mode: suricata --af-xdp=eno6 -c /etc/suricata/suricata.yaml --runmode workers -vvv

I sent about 37500000 packets (340Mbps) by tcpreplay.
The test results in each mode are as follows.

af-packet mode:

  • drops rate: 95% (recorded in suricata.log)
  • alerts: 1772961 entries recorded in fast.log

af-xdp mode:

  • drops rate: 0.04% (but, not recorded in suricata.log)
  • alerts: no entry in fast.log

I have only changed run option and not changed any files (e.g. suricata.yaml).
Why the difference occurred?

Please add the suricata.yaml, stats.log and suricata.log for both scenarios.
The 95% drop rate sounds like a confi gissue.

1 Like

Thank you for your reply, but this problem has been solved.
Iā€™m so glad that you support if I have a new problem.