Hi, Suresh!
Thank you for sharing the stats. Following is what I could come up with:
- Since you’re using
cluster_qmtype, please make sure that:
a. RSS symmetric hashing is enabled
b. Disable NIC offloading except rx/tx checksums
c. Set proper affinity
d. any other optimizations you can think of (check the ones mentioned by Andreas: Suricata high capture.kernel_drops count - #8 by Andreas_Herz) - Try increasing your
ring-size - AF_PACKET v2 seems to be recommended w IPS, so make sure you’re using that
Drops shouldn’t be as high as they are currently indeed. Let’s see if something works out with the above mentioned things.