Hello,
I am working on a sensor that can process multiple tenths of Gbit/s, and I’m still not entirely sure about the meaning of certain statistics.
My assumption now is that the decoder stats such as decoder.pkts and decoder.bytes show how much packets and volume Suricata has actually processed and not dropped. My interface receives around 50Gbit/s which is too much for the sensor to process.
capture.kernel_drops_delta / capture.kernel_packets_delta is around 0.3 (30%) and decoder.bytes fluctuates between 30 and 35Gbit/s. Does that mean Suricata successfully processes this amount? Of course we cannot predict which packets are dropped.
Thanks in advance!
