Hi,

Suricata creates event ahead of system time?!?

Cheers,
André

]# tail -f -s0 /data/sensor_data/suricata/eve.39.json | jq .timestamp
“2024-06-20T09:47:56.029855+0200”
“2024-06-20T09:47:56.068386+0200”
“2024-06-20T09:47:56.068737+0200”
“2024-06-20T09:47:56.068981+0200”
“2024-06-20T09:47:56.103426+0200”
“2024-06-20T09:47:56.103549+0200”
“2024-06-20T09:47:56.103614+0200”
“2024-06-20T09:47:56.106758+0200”
^C
]# date
Thu Jun 20 09:46:32 CEST 2024

Red Hat Enterprise Linux release 8.10 (Ootpa)
Kernel 4.18.0-553.5.1.el8_10.x86_64
Suricata from git : “8.0.0-dev (625639140 2024-06-18)”, “return”: “OK”}
DPDK from git : EAL: RTE Version: ‘DPDK 24.03.0’

Local time is CEST (Summertime)
~]# hwclock --verbose
hwclock from util-linux 2.32.1
System Time: 1718869786.311081
Trying to open: /dev/rtc0
Using the rtc interface to the clock.
Last drift adjustment done at 0 seconds after 1969
Last calibration done at 0 seconds after 1969
Hardware clock is on UTC time
Assuming hardware clock is kept in UTC time.
Waiting for clock tick…
…got clock tick
Time read from Hardware Clock: 2024/06/20 07:49:47
Hw clock time : 2024/06/20 07:49:47 = 1718869787 seconds since 1969
Time since last adjustment is 1718869787 seconds
Calculated Hardware Clock drift is 0.000000 seconds
2024-06-20 09:49:46.293680+02:00

{
“timestamp”: “2024-06-21T10:31:21.304363+0200”,
“flow_id”: 383760862543182,
“in_iface”: “0000:84:00.0”,
“event_type”: “tls”,
“vlan”: [
3902
],
“src_ip”: “172.18.9.245”,
“src_port”: 58327,
“dest_ip”: “17.248.236.67”,
“dest_port”: 443,
“proto”: “TCP”,
“pkt_src”: “wire/pcap”,
“tls”: {
“sni”: “gateway.icloud.com”,
“version”: “TLS 1.3”,
“ja3”: {
“hash”: “773906b0efdefa24a7f2b8eb6985bf37”,
“string”: “771,4865-4866-4867-49196-49195-52393-49200-49199-52392-49162-49161-49172-49171-157-156-53-47-49160-49170-10,0-23-65281-10-11-16-5-13-18-51-45-43-27-21,29-23-24-25,0”
},
“ja3s”: {
“hash”: “f4febc55ea12b31ae17cfb7e614afda8”,
“string”: “771,4865,43-51”
},
“client_alpns”: [
“h2”,
“http/1.1”
]
}
}
^C

[root@scomp1720 suricata]# date
Fri Jun 21 10:29:58 CEST 2024

Any insight please? Am i misinterpreting data of does Suricata something special regarding timestamp other then using systemtime OS time?
Cheers,
Andre

Hi Andre,

Suricata uses the packet timestamp for the EVE records and there’s no processing of said timestamp for the logs.

Talking about this, we wonder if this is due to either the NICs timestamp, or maybe some DPDK processing of time, which could lead to that difference.

Checking what type of NIC you are using could provide some insight…

If you do find out this one, do share with us!

Hi Ju,

Thanks for your time:
]# dpdk-devbind.py -s

Network devices using DPDK-compatible driver

0000:0f:00.0 ‘82599ES 10-Gigabit SFI/SFP+ Network Connection 10fb’ drv=vfio-pci unused=ixgbe
0000:10:00.0 ‘Ethernet Controller E810-C for QSFP 1592’ drv=vfio-pci unused=ice
0000:10:00.1 ‘Ethernet Controller E810-C for QSFP 1592’ drv=vfio-pci unused=ice
0000:84:00.0 ‘Ethernet Controller E810-C for QSFP 1592’ drv=vfio-pci unused=ice
0000:84:00.1 ‘Ethernet Controller E810-C for QSFP 1592’ drv=vfio-pci unused=ice

I’m trying to find out if all 4 interfaces face the some timestamp shizzle.

Hi Andre,

interesting observation. Both examples are 83/84 seconds apart. We don’t do HW Timestamping so the NIC should not be an issue. DPDK uses tsc counter to get the timestamp for packets, maybe that might be a little different.

CyclesToSeconds(rte_get_tsc_cycles());

Little addition per nic:
2
Fri Jun 21 12:07:53 CEST 2024
“time=2024-06-21T12:09:28.826798+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:28.833188+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:28.848973+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:28.871300+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:28.872395+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:28.872457+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:28.872729+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:28.888272+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:28.888460+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:28.916284+0200 iface=0000:10:00.0”
“time=2024-06-21T12:09:29.066582+0200 iface=0000:10:00.0”

28
Fri Jun 21 12:07:54 CEST 2024
“time=2024-06-21T12:09:28.985939+0200 iface=0000:84:00.0”
“time=2024-06-21T12:09:29.002403+0200 iface=0000:84:00.0”
“time=2024-06-21T12:09:29.003392+0200 iface=0000:84:00.0”
“time=2024-06-21T12:09:29.078151+0200 iface=0000:84:00.0”
“time=2024-06-21T12:09:29.078233+0200 iface=0000:84:00.0”
“time=2024-06-21T12:09:29.078300+0200 iface=0000:84:00.0”
“time=2024-06-21T12:09:29.094401+0200 iface=0000:84:00.0”
“time=2024-06-21T12:09:29.103984+0200 iface=0000:84:00.0”
“time=2024-06-21T12:09:29.124282+0200 iface=0000:84:00.0”

70
Fri Jun 21 12:07:54 CEST 2024
“time=2024-06-21T12:09:29.507462+0200 iface=0000:0f:00.0”
“time=2024-06-21T12:09:29.507575+0200 iface=0000:0f:00.0”
“time=2024-06-21T12:09:29.507780+0200 iface=0000:0f:00.0”
“time=2024-06-21T12:09:29.508956+0200 iface=0000:0f:00.0”
“time=2024-06-21T12:09:29.509723+0200 iface=0000:0f:00.0”
“time=2024-06-21T12:09:29.523603+0200 iface=0000:0f:00.0”
“time=2024-06-21T12:09:29.526512+0200 iface=0000:0f:00.0”
“time=2024-06-21T12:09:29.526671+0200 iface=0000:0f:00.0”
“time=2024-06-21T12:09:29.528183+0200 iface=0000:0f:00.0”
“time=2024-06-21T12:09:29.528956+0200 iface=0000:0f:00.0”

86
Thinks this started after moving from dpdk 23 to 24 but not 100% sure about that.

Fri Jun 21 12:07:54 CEST 2024
“time=2024-06-21T12:09:29.472319+0200 iface=0000:84:00.1”
“time=2024-06-21T12:09:29.518899+0200 iface=0000:84:00.1”
“time=2024-06-21T12:09:29.518899+0200 iface=0000:84:00.1”
“time=2024-06-21T12:09:29.589597+0200 iface=0000:84:00.1”
“time=2024-06-21T12:09:29.608167+0200 iface=0000:84:00.1”
“time=2024-06-21T12:09:29.609599+0200 iface=0000:84:00.1”
“time=2024-06-21T12:09:29.653961+0200 iface=0000:84:00.1”
“time=2024-06-21T12:09:29.654088+0200 iface=0000:84:00.1”
“time=2024-06-21T12:09:29.654400+0200 iface=0000:84:00.1”
“time=2024-06-21T12:09:29.654877+0200 iface=0000:84:00.1”

I seem to have a 2-second delta between kernel and DPDK time functions both on DPDK 21.11 and 24.03 so it’s probably not DPDK-related - measured on Suricata startup

Notice: dpdk: DPDKSetTimevalReal: 1718976591 GettimeofDay: 1718976589 [ReceiveDPDKLoop:source-dpdk.c:413]
Notice: threads: Threads created -> W: 7 FM: 1 FR: 1   Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1925]

Maybe the delta increases with longer runs, I’ll need to investigate it more.
Thanks!

Well I gues we have the fisrt suricata instance with predictive capabilities without AI But please do so, at the moment Suricata logs eve.json timestamps 8 minutes ahead.
Date in stats.log is correct according the to system time. Stats in the json files matching numbers with cpu affinity for management, timestamp is correct for stats data. So far it looks to me that only event and protocol data is running ahead of time, suricata systems stats and such are correct with their timestamp.

Hi André,

if possible, can you please try GitHub - lukashino/suricata at bug/7115-drifting-tsc-v1 (it is a branch on my repo forwarded by the fixing commit compared to OISF/master)
to verify that it truly fixes the issue and doesn’t hamper your performance? I believe that should be it.
Thanks.

Hi Lukas,
Great, but to no avail. Compile and linking with ok, starting not, it does not run:
[2587413 - Suricata-Main] 2024-06-27 10:15:14 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[2587413 - Suricata-Main] 2024-06-27 10:15:14 Info: detect: 71788 signatures processed. 1928 are IP-only rules, 8399 are inspecting packet payload, 61401 inspect application layer, 0 are decoder event only
[2587413 - Suricata-Main] 2024-06-27 10:15:47 Error: dpdk: 0000:10:00.0: failed to configure the device: Invalid argument
[2587413 - Suricata-Main] 2024-06-27 10:15:47 Error: dpdk: 0000:10:00.0: failed to configure

messages file:
Jun 27 10:14:26 scomp1720 suricata[2586878]: Error: dpdk: 0000:10:00.0: failed to configure the device: Invalid argument [DeviceConfigure:runmode-dpdk.c:1470]
Jun 27 10:14:26 scomp1720 suricata[2586878]: Error: dpdk: 0000:10:00.0: failed to configure [ParseDpdkConfigAndConfigureDevice:runmode-dpdk.c:1586]
Jun 27 10:15:47 scomp1720 suricata[2587413]: Error: dpdk: 0000:10:00.0: failed to configure the device: Invalid argument [DeviceConfigure:runmode-dpdk.c:1470]
Jun 27 10:15:47 scomp1720 suricata[2587413]: Error: dpdk: 0000:10:00.0: failed to configure [ParseDpdkConfigAndConfigureDevice:runmode-dpdk.c:1586]

Expecting this:
[1851474 - Suricata-Main] 2024-06-25 13:11:09 Warning: dpdk: 0000:10:00.0: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096)
[1851474 - Suricata-Main] 2024-06-25 13:11:11 Warning: dpdk: 0000:84:00.0: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096)
[1851474 - Suricata-Main] 2024-06-25 13:11:14 Warning: dpdk: 0000:10:00.1: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096)
[1851474 - Suricata-Main] 2024-06-25 13:11:15 Warning: dpdk: 0000:0f:00.0: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096)
[1851474 - Suricata-Main] 2024-06-25 13:11:15 Warning: dpdk: 0000:84:00.1: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096)

Second server, more verbose suricata:

Jun 27 13:00:12 server suricata[2447600]: Config: detect: Loading rule file: /etc/suricata/rules/local.rules [ProcessSigFiles:detect-engine-loader.c:261]
Jun 27 13:00:12 server suricata[2447600]: Info: detect: 2 rule files processed. 71607 rules successfully loaded, 1 rules failed, 0 rules skipped [SigLoadSignatures:detect-engine-loader.c:378]
Jun 27 13:00:12 server suricata[2447600]: Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1012]
Jun 27 13:00:13 server suricata[2447600]: Info: detect: 71610 signatures processed. 1789 are IP-only rules, 8402 are inspecting packet payload, 61359 inspect application layer, 0 are decoder event only [SigPrepareStage1:detect-engine-build.c:1850]
Jun 27 13:00:13 server suricata[2447600]: Config: detect: building signature grouping structure, stage 1: preprocessing rules… complete [SigPrepareStage1:detect-engine-build.c:1853]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: TCP toserver: 41 port groups, 41 unique SGH’s, 0 copies [RulesGroupByPorts:detect-engine-build.c:1633]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: TCP toclient: 21 port groups, 21 unique SGH’s, 0 copies [RulesGroupByPorts:detect-engine-build.c:1633]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: UDP toserver: 41 port groups, 28 unique SGH’s, 13 copies [RulesGroupByPorts:detect-engine-build.c:1633]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: UDP toclient: 21 port groups, 17 unique SGH’s, 4 copies [RulesGroupByPorts:detect-engine-build.c:1633]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: OTHER toserver: 254 proto groups, 7 unique SGH’s, 247 copies [RulesGroupByProto:detect-engine-build.c:1024]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: OTHER toclient: 254 proto groups, 0 unique SGH’s, 254 copies [RulesGroupByProto:detect-engine-build.c:1057]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: Unique rule groups: 114 [SigPrepareStage4:detect-engine-build.c:2029]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: Builtin MPM “toserver TCP packet”: 34 [MpmStoreReportStats:detect-engine-mpm.c:1473]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: Builtin MPM “toclient TCP packet”: 20 [MpmStoreReportStats:detect-engine-mpm.c:1473]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: Builtin MPM “toserver TCP stream”: 32 [MpmStoreReportStats:detect-engine-mpm.c:1473]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: Builtin MPM “toclient TCP stream”: 17 [MpmStoreReportStats:detect-engine-mpm.c:1473]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: Builtin MPM “toserver UDP packet”: 28 [MpmStoreReportStats:detect-engine-mpm.c:1473]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: Builtin MPM “toclient UDP packet”: 17 [MpmStoreReportStats:detect-engine-mpm.c:1473]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: Builtin MPM “other IP packet”: 5 [MpmStoreReportStats:detect-engine-mpm.c:1473]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_uri (http)”: 19 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_uri (http2)”: 19 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_raw_uri (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_raw_uri (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_raw_uri (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_request_line (http)”: 9 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_request_line (http2)”: 9 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_client_body (http)”: 18 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_client_body (http2)”: 18 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_response_line (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_response_line (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header (http)”: 20 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header (http)”: 14 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header (http)”: 20 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header (http)”: 14 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header (http2)”: 20 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header (http2)”: 14 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header (http2)”: 20 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header (http2)”: 14 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_request_header (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_request_header (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_request_header (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_request_header (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_response_header (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_response_header (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header_names (http)”: 11 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header_names (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header_names (http)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header_names (http)”: 11 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header_names (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header_names (http)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header_names (http2)”: 11 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header_names (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_header_names (http2)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header_names (http2)”: 11 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header_names (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_header_names (http2)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_accept (http)”: 8 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_accept (http2)”: 8 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_accept_enc (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_accept_enc (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_accept_lang (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_accept_lang (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_referer (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_referer (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_connection (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_connection (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_connection (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_connection (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_content_len (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_content_len (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_content_len (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_content_len (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_content_type (http)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_content_type (http2)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_content_type (http)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_content_type (http2)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http.server (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http.server (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http.location (http)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http.location (http2)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_protocol (http)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_protocol (http)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_protocol (http2)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_protocol (http2)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_start (http)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_start (http)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_raw_header (http)”: 3 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_raw_header (http)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_raw_header (http)”: 3 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_raw_header (http)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_raw_header (http2)”: 3 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_raw_header (http2)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_raw_header (http2)”: 3 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_raw_header (http2)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_method (http)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_method (http2)”: 6 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_cookie (http)”: 8 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_cookie (http)”: 8 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_cookie (http2)”: 8 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_cookie (http2)”: 8 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_user_agent (http)”: 14 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_user_agent (http2)”: 14 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_host (http)”: 3 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_host (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_host (http2)”: 3 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_host (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_raw_host (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver http_raw_host (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_stat_code (http)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient http_stat_code (http2)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver dns_query (dns)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver dns_query (dns)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver tls.sni (tls)”: 5 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver tls.sni (tls)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver tls.cert_issuer (tls)”: 5 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient tls.cert_issuer (tls)”: 5 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver tls.cert_subject (tls)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient tls.cert_subject (tls)”: 4 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient tls.cert_serial (tls)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver tls.cert_serial (tls)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient tls.cert_fingerprint (tls)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver tls.cert_fingerprint (tls)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient tls.certs (tls)”: 3 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver tls.certs (tls)”: 3 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver ja3.hash (tls)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver ja3.hash (quic)”: 2 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient ja3s.hash (tls)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient ja3s.hash (quic)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver ssh.proto (ssh)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient ssh.proto (ssh)”: 1 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient file_data (nfs)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver file_data (nfs)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient file_data (smb)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver file_data (smb)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient file_data (ftp)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver file_data (ftp)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient file_data (ftp-data)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver file_data (ftp-data)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient file_data (http)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver file_data (http)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toclient file_data (http2)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver file_data (http2)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:13 server suricata[2447600]: Perf: detect: AppLayer MPM “toserver file_data (smtp)”: 29 [MpmStoreReportStats:detect-engine-mpm.c:1481]
Jun 27 13:00:45 server suricata[2447600]: TELEMETRY: No legacy callbacks, legacy socket not created
Jun 27 13:00:45 server suricata[2447600]: ETHDEV: Ethdev port_id=1 invalid RSS key len: 40, valid value: 52
Jun 27 13:00:45 server suricata[2447600]: TELEMETRY: No legacy callbacks, legacy socket not created
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_VLAN_STRIP - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1028]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_IPV4_CKSUM - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1030]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_UDP_CKSUM - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1032]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_TCP_CKSUM - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1034]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_TCP_LRO - NOT available [DumpRXOffloadCapabilities:runmode-dpdk.c:1036]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_QINQ_STRIP - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1038]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_OUTER_IPV4_CKSUM - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1040]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_MACSEC_STRIP - NOT available [DumpRXOffloadCapabilities:runmode-dpdk.c:1042]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_VLAN_FILTER - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1048]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_VLAN_EXTEND - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1050]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_SCATTER - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1052]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_TIMESTAMP - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1054]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_SECURITY - NOT available [DumpRXOffloadCapabilities:runmode-dpdk.c:1056]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_KEEP_CRC - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1058]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_SCTP_CKSUM - NOT available [DumpRXOffloadCapabilities:runmode-dpdk.c:1060]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_OUTER_UDP_CKSUM - NOT available [DumpRXOffloadCapabilities:runmode-dpdk.c:1062]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_RSS_HASH - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1064]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: RTE_ETH_RX_OFFLOAD_BUFFER_SPLIT - available [DumpRXOffloadCapabilities:runmode-dpdk.c:1067]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: 0000:10:00.0: interrupt mode is disabled [PortConfSetInterruptMode:runmode-dpdk.c:1129]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: 0000:10:00.0: RSS enabled for 26 queues [PortConfSetRSSConf:runmode-dpdk.c:1139]
Jun 27 13:00:45 server suricata[2447600]: Config: dpdk: 0000:10:00.0: IP, TCP and UDP checksum validation offloaded [PortConfSetChsumOffload:runmode-dpdk.c:1183]
Jun 27 13:00:45 server suricata[2447600]: ETHDEV: Ethdev port_id=1 invalid RSS key len: 40, valid value: 52
Jun 27 13:00:45 server suricata[2447600]: Error: dpdk: 0000:10:00.0: failed to configure the device: Invalid argument [DeviceConfigure:runmode-dpdk.c:1470]
Jun 27 13:00:46 server suricata[2447600]: Error: dpdk: 0000:10:00.0: failed to configure [ParseDpdkConfigAndConfigureDevice:runmode-dpdk.c:1586]
Jun 27 13:00:46 server systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
Jun 27 13:00:46 server systemd[1]: suricata.service: Failed with result ‘exit-code’.

Hi,
this shouldn’t be related to the PR - on ConnectX5 card it is booting fine.
Just to make sure

• what is your NIC? I assume it is the ice driver - Intel E810?
• have you changed anything while trying out my branch? Did you checkout to the correct branch (bug/7115-drifting-tsc-v1) - making sure you weren’t just on master after cloning the repo?

Lukas

Edit:
I tested ice driver (E810) with DPDK 23.11 and I have no issues with device setup.

Hoi,

• Used a clone from GitHub - lukashino/suricata at bug/7115-drifting-tsc-v1 as a fresh install , wrong method? Maybe I fck up: git clone -b bug/7115-drifting-tsc-v1 hxxps://github.com/lukashino/suricata/ is better I guess.

• dpdk-devbind.py -s

Network devices using DPDK-compatible driver
============================================
0000:0f:00.0 ‘82599ES 10-Gigabit SFI/SFP+ Network Connection 10fb’ drv=vfio-pci unused=ixgbe
0000:10:00.0 ‘Ethernet Controller E810-C for QSFP 1592’ drv=vfio-pci unused=ice
0000:10:00.1 ‘Ethernet Controller E810-C for QSFP 1592’ drv=vfio-pci unused=ice
0000:84:00.0 ‘Ethernet Controller E810-C for QSFP 1592’ drv=vfio-pci unused=ice
0000:84:00.1 ‘Ethernet Controller E810-C for QSFP 1592’ drv=vfio-pci unused=ice

Yes, it seems correct. You can check in the cloned directory the output of git status

git status
On branch bug/7115-drifting-tsc-v1
Your branch is up to date with 'origin/bug/7115-drifting-tsc-v1'.

Otherwise, the instructions should be more like:

git clone -b bug/7115-drifting-tsc-v1 https://github.com/lukashino/suricata.git suricata-lukas

cd suricata-lukas 
./scripts/bundle.sh
./autogen.sh
./configure --enable-dpdk
make -j16

Running fine indeed after the -b option, sorry for the confusion!

]# suricatasc -c version
{“message”: “8.0.0-dev (b77bf6226 2024-06-26)”, “return”: “OK”}

messages:
Jun 28 10:34:01 scomp1720 suricata[368923]: TELEMETRY: No legacy callbacks, legacy socket not created
Jun 28 10:34:02 scomp1720 suricata[368923]: ice_vsi_config_outer_vlan_stripping(): Single VLAN mode (SVM) does not support qinq
Jun 28 10:34:01 scomp1720 suricata[368923]: TELEMETRY: No legacy callbacks, legacy socket not created
Jun 28 10:34:01 scomp1720 suricata[368923]: Warning: dpdk: 0000:10:00.0: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096) [DeviceConfigure:runmode-dpdk.c:1490]
Jun 28 10:34:01 scomp1720 suricata[368923]: Notice: log-pcap: Ring buffer initialized with 612 files. [PcapLogInitRingBuffer:log-pcap.c:986]
Jun 28 10:34:02 scomp1720 suricata[368923]: ice_vsi_config_outer_vlan_stripping(): Single VLAN mode (SVM) does not support qinq
Jun 28 10:34:04 scomp1720 suricata[368923]: ice_vsi_config_outer_vlan_stripping(): Single VLAN mode (SVM) does not support qinq
Jun 28 10:34:04 scomp1720 suricata[368923]: Warning: dpdk: 0000:84:00.0: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096) [DeviceConfigure:runmode-dpdk.c:1490]
Jun 28 10:34:04 scomp1720 suricata[368923]: ice_vsi_config_outer_vlan_stripping(): Single VLAN mode (SVM) does not support qinq
Jun 28 10:34:06 scomp1720 suricata[368923]: Warning: dpdk: 0000:10:00.1: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096) [DeviceConfigure:runmode-dpdk.c:1490]
Jun 28 10:34:07 scomp1720 suricata[368923]: ice_vsi_config_outer_vlan_stripping(): Single VLAN mode (SVM) does not support qinq
Jun 28 10:34:07 scomp1720 suricata[368923]: ice_vsi_config_outer_vlan_stripping(): Single VLAN mode (SVM) does not support qinq
Jun 28 10:34:07 scomp1720 suricata[368923]: Warning: dpdk: 0000:0f:00.0: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096) [DeviceConfigure:runmode-dpdk.c:1490]
Jun 28 10:34:07 scomp1720 suricata[368923]: Warning: dpdk: 0000:84:00.1: device queue descriptors adjusted (RX: from 32768 to 4096, TX: from 32768 to 4096) [DeviceConfigure:runmode-dpdk.c:1490]
Jun 28 10:34:08 scomp1720 suricata[368923]: ice_vsi_config_outer_vlan_stripping(): Single VLAN mode (SVM) does not support qinq
Jun 28 10:34:08 scomp1720 suricata[368923]: ice_vsi_config_outer_vlan_stripping(): Single VLAN mode (SVM) does not support qinq
Jun 28 10:34:08 scomp1720 suricata[368923]: Notice: threads: Threads created → W: 102 FM: 5 FR: 5 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1907]

I’ll let you know in a few hours about the events timestamp if they are correct or still going more and more ahead of time.

A in between:
]# suricatasc -c uptime
{“message”: 12045, “return”: “OK”}

Timestamp is going strong, nothing in the future. Maybe wait 88 hours
Sunday: still going well, now changed the logrotate interval from 6 to 12 hours to keep track, but all those 6 hours jsons looked great. I think you’ve nailed it.

Today with a 12h logrotation stll going strong, no time deviations any more, great work!

ok perfect, thank you for confirming!