Seeing a lot of "decoder.invalid" when using bond interface

noob_17 · January 12, 2023, 2:56pm

When using a bond interface in af-packet and workers mode, i see the “decoder.invalid” counter increasing constantly.

capture.kernel_packets                        | Total                     | 15725713
capture.kernel_drops                          | Total                     | 116756
decoder.invalid                               | Total                     | 1683697

capture.kernel_packets                        | Total                     | 22913657
capture.kernel_drops                          | Total                     | 173964
decoder.invalid                               | Total                     | 2152034

I noticed that the "decoder.invalid" value ins the same has "decoder.event.ipv4.trunc_pkt | Total | 2152034

Andreas_Herz · January 17, 2023, 10:02pm

What version are you running?
How does your suricata.yaml look like?
How do you start suricata?

How is the traffic forwarded?
Bond interfaces can be tricky

noob_17 · January 19, 2023, 9:58am

Version 6.0.9
Af-packet mode, cluster-flow and workers running mode
Start Suricata with systemctl
Traffic is being mirrored from the switch

bond interface is configured in balance-rr mode

Andreas_Herz · January 24, 2023, 2:50pm

What is the reason for the bond interface?
You could try to compare it without the bond to see if there is a diff.