Subject says it all. When I run interface=af_packet::em3, broctl capstats reports no statistics.
How can I fix this, as I rely on this information for traffic profiling of the system. Thanks!
Hm, after investigating, I think this might be a parsing issue of node.cfg? If I set the interface to em3 by itself with bro already running, capstats works with broctl. This seems to indicate to me that maybe node.cfg isn’t parsing out interfaces using plugins? I can’t find the broctl function that handles the capstats call.
It doesn't work right, and it can't really work right. I think the short answer is that capstats is going away. As a standalone tool it is ok, but running it on a schedule is not a great feature. It generates stats by actually capturing the packets and reporting on what it saw. On a heavily loaded worker this is the absolute last thing you want to do.
The stats.log will contain the same data split out by worker in the fields like bytes_recv, pkts_proc,pkts_dropped,pkts_link. You should be able to do the profiling you need using this data.
Hm, ok. Previously I was using pfcount, since we were using pf_ring, but since moving to af_packet, pfcount is obviously no longer an option, and I was hoping to use capstats as a standalone. Thanks for the quick response! Will probably just massage this into splunk with a timechart.