doc: info for new bypass counters

author Eric Leblond <eric@regit.org>

Tue, 11 Jun 2019 21:01:22 +0000 (23:01 +0200)

committer Victor Julien <victor@inliniac.net>

Tue, 18 Jun 2019 05:07:02 +0000 (07:07 +0200)
author Eric Leblond <eric@regit.org>
Tue, 11 Jun 2019 21:01:22 +0000 (23:01 +0200)
committer Victor Julien <victor@inliniac.net>
Tue, 18 Jun 2019 05:07:02 +0000 (07:07 +0200)
diff --git a/doc/userguide/capture-hardware/ebpf-xdp.rst b/doc/userguide/capture-hardware/ebpf-xdp.rst

index 37d1143d297a0b49e043b24eafdd1789f7428101..7f51073f0fd0ccd0aa6058fe904898cd765de88e 100644 (file)
--- a/doc/userguide/capture-hardware/ebpf-xdp.rst
+++ b/doc/userguide/capture-hardware/ebpf-xdp.rst
@@ -518,7 +518,17 @@ bytes and packets counters as well as a bypassed and closed flow counter ::
   {
     "local_pkts": 0,
     "local_bytes": 0,
+   "local_capture_pkts": 20,
+   "local_capture_bytes": 25000,
     "closed": 84,
     "pkts": 4799,
     "bytes": 2975133
   }
+
+`local_pkts` and `local_bytes` are for Suricata bypassed flows. This can be because
+local bypass is used or because the capture method can not bypass more flows.
+`pkts` and `bytes` are counters coming from the capture method. They can take some
+time to appear due to the accounting at timeout.
+`local_capture_pkts` and `local_capture_bytes` are counters for packets that are seen
+by Suricata before the capture method efficiently bypass the traffic. There is almost
+always some for each flow because of the buffer in front of Suricata reading threads.
author	Eric Leblond <eric@regit.org>
	Tue, 11 Jun 2019 21:01:22 +0000 (23:01 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 18 Jun 2019 05:07:02 +0000 (07:07 +0200)