When using Suricata (several Versions 7.0.x and 8.0.x, on Debian bookworm and trixie), I never have been able to successfully use the hardware flow table on Napatech NICs (NT200A02). The ultimate goal is to use the hardware bypass feature of the card, so that e.g., TLS flow packets and their sizes are only counted in the flow table after the TLS handshake and will never reach the CPU RAM.
I followed the guides to configure the napatech section of suricata.yaml, as well as the Napatech service file ntservice.ini. When using the napatech “monitoring” tool, it shows that the feature is available on the NIC and on the installed firmware, but the flow table is never populated.
Did anyone of you have success in activating the hardware flow table feature?
As a side node, I have to configure the napatech streams manually, since I have a more complex NTPL config for selecting and dividing the monitored traffic. Thus, I am not able to use the napatech auto-config switch in suricata.yaml.