Hi,
I’m currently analyzing Suricata logs while running it in AF_PACKET capture mode and have a couple of questions regarding the packet drop statistics.
-
In the
stats.logfile, there is acapture.kernel_dropsmetric that indicates the number of packets dropped by the kernel. However, in thesuricata.logfile, there is another metric labeleddrops, which often shows a different value. What is the difference between these two metrics and why their values might not align? -
In the
stats.logfile, there is also acapture.kernel_packetsparameter that represents the total number of packets handled by the kernel. Does this count include the packets that were dropped (capture.kernel_drops), or does it only account for the packets that were successfully captured and processed by Suricata?
I think that capture.kernel_packets represents the number of packets sent to Suricata by the kernel, while capture.kernel_drops represents the number of packets discarded by the kernel, so never sent to Suricata. In conclusion, the drops metric in the suricata.log file likely refers to the packets that Suricata was unable to process after they were handed over by the kernel.
I’d appreciate any insights or references to documentation that could help clarify these points. Thank you!
Additional notes
- Suricata version: 7.0.7 (from source)
- OS: Ubuntu 22.04