To my knowledge, the kernel (af-packet) is, independently from Suricata, receiving packets into its structures, from the HW queues to the software queues and those are bigger than the HW queues.
DPDK Suricata receives packets directly from those HW queues and those are read from only in batches and where Suricata needs to process the batch and only then get another batch. These queues might get full on some workload bursts and because kernel receives the data continuously independently from the Suricata processing, the workload spikes are handled better.
I stumbled upon this problem here, I forgot to reply to André though.
@vendul0g if you compile DPDK yourself there is one suggestion in the thread - increase the count of RX/TX descriptors by editing the respective files in DPDK (and then compile and install it) as André and myself suggested.
DPDK compilation is pretty easy, once cloned you need only something like:
# uninstall the previously installed DPDK
meson --prefix=/usr/ build # to be installed global wise
ninja -C build
sudo ninja -C build install