From eea3c6b6107a30b35675e21cce3bfb442361f005 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Tue, 11 Jun 2019 23:01:22 +0200 Subject: [PATCH] doc: info for new bypass counters --- doc/userguide/capture-hardware/ebpf-xdp.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/userguide/capture-hardware/ebpf-xdp.rst b/doc/userguide/capture-hardware/ebpf-xdp.rst index 37d1143d29..7f51073f0f 100644 --- a/doc/userguide/capture-hardware/ebpf-xdp.rst +++ b/doc/userguide/capture-hardware/ebpf-xdp.rst @@ -518,7 +518,17 @@ bytes and packets counters as well as a bypassed and closed flow counter :: { "local_pkts": 0, "local_bytes": 0, + "local_capture_pkts": 20, + "local_capture_bytes": 25000, "closed": 84, "pkts": 4799, "bytes": 2975133 } + +`local_pkts` and `local_bytes` are for Suricata bypassed flows. This can be because +local bypass is used or because the capture method can not bypass more flows. +`pkts` and `bytes` are counters coming from the capture method. They can take some +time to appear due to the accounting at timeout. +`local_capture_pkts` and `local_capture_bytes` are counters for packets that are seen +by Suricata before the capture method efficiently bypass the traffic. There is almost +always some for each flow because of the buffer in front of Suricata reading threads.