Hi,
I keep seeing an increase of tcp.pkt_on_wrong_thread when using workers mode. Switching to autofp mode the issue disappears.
Is there any possible solution to this?
that is currently still work in progress, see Optimization #2725: stream/packet on wrong thread - Suricata - Open Information Security Foundation
but there are a lot things that depend on it.
So you can try cluster_qm mode with RSS enabled and play around with the flow distribution support of your NIC.
I configured a bond interface and the issue is apparently gone
Do get your traffic from a fiber tap? Suricata does not like getting RX and TX on different interfaces without autofp.
It is OK, I do some test.
Just use IPS mode for IDS if taffic from optical tap will resolve this problem (set copy-mode: ips in af-packet interface ,maybe lower performance, only plug rx fiber on 2 transceiver to receive, use “ip link set eth1 promisc on arp off up” )