

### Reproducible Test ####

## BEGIN set up

DUT-1 - Suriata
DUT-2 - replay machine - Trex/tcpreplay

DUT-1's sniffing interface is connected via a direct cable attachment to DUT-2's replay interface


On DUT-1 :
  *-network:1
       description: Ethernet interface
       product: Ethernet Controller XL710 for 40GbE QSFP+
       vendor: Intel Corporation
       physical id: 0.1
       bus info: pci@0000:82:00.1
       logical name: ens5f1
       version: 02
       serial: 3c:fd:fe:9e:97:a7
       width: 64 bits
       clock: 33MHz
       capabilities: pm msi msix pciexpress vpd bus_master cap_list rom ethernet physical fibre autonegotiation
       configuration: autonegotiation=on broadcast=yes driver=i40e driverversion=2.7.29 duplex=full firmware=6.01 0x800034a4 1.1747.0 latency=0 link=yes multicast=yes promiscuous=yes
       resources: irq:36 memory:cd800000-cdffffff memory:ce808000-ce80ffff memory:fbe00000-fbe7ffff memory:ce400000-ce7fffff memory:ce910000-cea0ffff

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.2 LTS
Release:	18.04
Codename:	bionic

uname -a
Linux ce-80-1 4.18.0-20-generic #21~18.04.1-Ubuntu SMP Wed May 8 08:43:37 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

# Rules used
cat /opt/wrongthread.rules 
alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)

lscpu 
Architecture:        x86_64
CPU op-mode(s):      32-bit, 64-bit
Byte Order:          Little Endian
CPU(s):              72
On-line CPU(s) list: 0-71
Thread(s) per core:  2
Core(s) per socket:  18
Socket(s):           2
NUMA node(s):        2
Vendor ID:           GenuineIntel
CPU family:          6
Model:               79
Model name:          Intel(R) Xeon(R) CPU E5-2697 v4 @ 2.30GHz
Stepping:            1
CPU MHz:             1199.328
CPU max MHz:         3600.0000
CPU min MHz:         1200.0000
BogoMIPS:            4589.77
Virtualization:      VT-x
L1d cache:           32K
L1i cache:           32K
L2 cache:            256K
L3 cache:            46080K
NUMA node0 CPU(s):   0-17,36-53
NUMA node1 CPU(s):   18-35,54-71
Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cdp_l3 invpcid_single pti intel_ppin ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm rdt_a rdseed adx smap intel_pt xsaveopt cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts md_clear flush_l1d

suricata --dump-config  |grep affinity 
threading.set-cpu-affinity = yes
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 1-16
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0-10
threading.cpu-affinity.2 = worker-cpu-set
threading.cpu-affinity.2.worker-cpu-set = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu.0 = 17-34
threading.cpu-affinity.2.worker-cpu-set.cpu.1 = 53-70
threading.cpu-affinity.2.worker-cpu-set.mode = exclusive
threading.cpu-affinity.2.worker-cpu-set.prio = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0
threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1
threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 17-34
threading.cpu-affinity.2.worker-cpu-set.prio.high.1 = 53-70
threading.cpu-affinity.2.worker-cpu-set.prio.default = high

This is Suricata version 5.0.0-dev (rev 257dcb0e1)
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST 
SIMD support: SSE_4_2 SSE_4_1 SSE_3 
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.30, linked against LibHTP v0.5.30

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            yes
  XDP support:                             yes
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  liblzma support:                         yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes, through luajit
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          no

  Rust support:                            yes
  Rust strict mode:                        yes
  Rust debug mode:                         no
  Rust compiler:                           rustc 1.31.0
  Rust cargo:                              cargo 1.31.0

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Python version:                          Python 3.6.7
  Python distutils                         yes
  Python yaml                              yes
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 not bundled

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                clang-6.0 (exec name) / clang (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -march=native -I${srcdir}/../rust/gen/c-headers
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                


Also  - locally build ethtool (latest version form here - https://mirrors.edge.kernel.org/pub/software/network/ethtool/ ) is used

On DUT 2
# on the remote/replay machine the pcap is replayed like so
tcpreplay --intf1=ens5f1  combined-frags/many-frags-cornercases-seeded.pcap 


## END set up ##

For each run 
- the sniffing NIC was reconfigured as described in each section
- suricata logs were cleared/flushed before the run
- suricata was started as described in each run's section
- then the pcap was replayed from DUT-2 like so
tcpreplay --intf1=ens5f1  combined-frags/many-frags-cornercases-seeded.pcap 


## runs 
1)

NO - wrong threads/packets counters present 
(using cluster flow)

NIC setup:

rmmod i40e && modprobe i40e
ifconfig ens5f1 down
/usr/local/sbin/ethtool -L ens5f1 combined 4
/usr/local/sbin/ethtool -K ens5f1 rxhash on
/usr/local/sbin/ethtool -K ens5f1 ntuple on
ifconfig ens5f1 up
/opt/i40e/i40e-2.7.29/scripts/set_irq_affinity local ens5f1
/usr/local/sbin/ethtool -X ens5f1 hkey 6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A equal 4

/usr/local/sbin/ethtool -A ens5f1 rx off tx off
/usr/local/sbin/ethtool -C ens5f1 adaptive-rx off adaptive-tx off rx-usecs 125
/usr/local/sbin/ethtool -G ens5f1 rx 1024
ip link set ens5f1 promisc on arp off up
echo 1 > /proc/sys/net/ipv6/conf/ens5f1/disable_ipv6

/usr/local/sbin/ethtool -x ens5f1
/usr/local/sbin/ethtool -n ens5f1

for proto in tcp4 udp4 tcp6 udp6; do
       echo "/usr/local/sbin/ethtool -N ens5f1 rx-flow-hash $proto sdfn"
       /usr/local/sbin/ethtool -N ens5f1 rx-flow-hash $proto sdfn
done

suricata -c /etc/suricata/suricata.yaml -S /opt/wrongthread.rules --set "af-packet.0.threads = 4"  --set "af-packet.0.cluster-type=cluster_flow" --set "af-packet.1.cluster-type=cluster_flow" -vvv  --af-packet 


suricata --dump-config |grep af-packet
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = ens5f1
af-packet.0.threads = 18
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_qm
af-packet.0.defrag = yes
af-packet.0.xdp-mode = driver
af-packet.0.xdp-filter-file = /etc/suricata/xdp_filter.bpf
af-packet.0.bypass = yes
af-packet.0.use-mmap = yes
af-packet.0.mmap-locked = yes
af-packet.0.tpacket-v3 = yes
af-packet.0.ring-size = 300000
af-packet.0.block-size = 2097152
af-packet.1 = interface
af-packet.1.interface = default



2)

YES - wrong threads/packets counters present 

NIC setup:

rmmod i40e && modprobe i40e
ifconfig ens5f1 down
/usr/local/sbin/ethtool -L ens5f1 combined 4
/usr/local/sbin/ethtool -K ens5f1 rxhash on
/usr/local/sbin/ethtool -K ens5f1 ntuple on
ifconfig ens5f1 up
/opt/i40e/i40e-2.7.29/scripts/set_irq_affinity local ens5f1
/usr/local/sbin/ethtool -X ens5f1 hkey 6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A equal 4

/usr/local/sbin/ethtool -A ens5f1 rx off tx off
/usr/local/sbin/ethtool -C ens5f1 adaptive-rx off adaptive-tx off rx-usecs 125
/usr/local/sbin/ethtool -G ens5f1 rx 1024
ip link set ens5f1 promisc on arp off up
echo 1 > /proc/sys/net/ipv6/conf/ens5f1/disable_ipv6

/usr/local/sbin/ethtool -x ens5f1
/usr/local/sbin/ethtool -n ens5f1

for proto in tcp4 udp4 tcp6 udp6; do
       echo "/usr/local/sbin/ethtool -N ens5f1 rx-flow-hash $proto sdfn"
       /usr/local/sbin/ethtool -N ens5f1 rx-flow-hash $proto sdfn
done

suricata -c /etc/suricata/suricata.yaml -S /opt/wrongthread.rules --set "af-packet.0.threads = 4"  -vvv  --af-packet 


suricata --dump-config |grep af-packet
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = ens5f1
af-packet.0.threads = 18
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_qm
af-packet.0.defrag = yes
af-packet.0.xdp-mode = driver
af-packet.0.xdp-filter-file = /etc/suricata/xdp_filter.bpf
af-packet.0.bypass = yes
af-packet.0.use-mmap = yes
af-packet.0.mmap-locked = yes
af-packet.0.tpacket-v3 = yes
af-packet.0.ring-size = 300000
af-packet.0.block-size = 2097152
af-packet.1 = interface
af-packet.1.interface = default


tail -F /var/log/suricata/stats.log  |grep -E "kernel|wrong|memcap|emer|frag"

capture.kernel_packets                        | Total                     | 27224
defrag.ipv4.fragments                         | Total                     | 8760
defrag.ipv4.reassembled                       | Total                     | 133
defrag.ipv6.fragments                         | Total                     | 14187
defrag.ipv6.reassembled                       | Total                     | 92
decoder.event.ipv4.frag_overlap               | Total                     | 4804
decoder.event.ipv6.frag_overlap               | Total                     | 7308
stream.wrong_thread                           | Total                     | 2
tcp.pkt_on_wrong_thread                       | Total                     | 4

[69436] 11/6/2019 -- 15:35:25 - (unix-manager.c:131) <Info> (UnixNew) -- Using unix socket file '/var/run/suricata/suricata-command.socket'
[69459] 11/6/2019 -- 15:35:25 - (tm-threads.c:1092) <Perf> (TmThreadSetupOptions) -- Setting prio 0 for thread "US", thread id 69459
[69436] 11/6/2019 -- 15:35:25 - (tm-threads.c:2157) <Notice> (TmThreadWaitOnThreadInit) -- all 4 packet processing threads, 17 management threads initialized, engine started.
[69438] 11/6/2019 -- 15:35:25 - (source-af-packet.c:1799) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=2097152 block_nr=239 frame_size=1664 frame_nr=301140 (mem: 501219328)
[69439] 11/6/2019 -- 15:35:26 - (source-af-packet.c:1799) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=2097152 block_nr=239 frame_size=1664 frame_nr=301140 (mem: 501219328)
[69440] 11/6/2019 -- 15:35:26 - (source-af-packet.c:1799) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=2097152 block_nr=239 frame_size=1664 frame_nr=301140 (mem: 501219328)
[69441] 11/6/2019 -- 15:35:26 - (source-af-packet.c:1799) <Perf> (AFPComputeRingParamsV3) -- AF_PACKET V3 RX Ring params: block_size=2097152 block_nr=239 frame_size=1664 frame_nr=301140 (mem: 501219328)
[69441] 11/6/2019 -- 15:35:26 - (source-af-packet.c:510) <Info> (AFPPeersListReachedInc) -- All AFP capture threads are running.
^C[69436] 11/6/2019 -- 15:36:55 - (suricata.c:2846) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.
[69447] 11/6/2019 -- 15:36:55 - (flow-manager.c:796) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[69446] 11/6/2019 -- 15:36:55 - (flow-manager.c:796) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[69445] 11/6/2019 -- 15:36:55 - (flow-manager.c:796) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[69444] 11/6/2019 -- 15:36:55 - (flow-manager.c:796) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[69448] 11/6/2019 -- 15:36:55 - (flow-manager.c:796) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[69443] 11/6/2019 -- 15:36:55 - (flow-manager.c:796) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[69449] 11/6/2019 -- 15:36:55 - (flow-manager.c:796) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[69442] 11/6/2019 -- 15:36:55 - (flow-manager.c:796) <Perf> (FlowManager) -- 0 new flows, 0 established flows were timed out, 0 flows in closed state
[69436] 11/6/2019 -- 15:36:56 - (suricata.c:1093) <Info> (SCPrintElapsedTime) -- time elapsed 92.704s
[69452] 11/6/2019 -- 15:36:57 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 16 flows processed
[69454] 11/6/2019 -- 15:36:57 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 9 flows processed
[69455] 11/6/2019 -- 15:36:57 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 7 flows processed
[69453] 11/6/2019 -- 15:36:57 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 8 flows processed
[69451] 11/6/2019 -- 15:36:57 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 13 flows processed
[69450] 11/6/2019 -- 15:36:57 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 30 flows processed
[69438] 11/6/2019 -- 15:36:57 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#01-ens5f1) Kernel: Packets 23492, dropped 0
[69439] 11/6/2019 -- 15:36:57 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#02-ens5f1) Kernel: Packets 5501, dropped 0
[69440] 11/6/2019 -- 15:36:57 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#03-ens5f1) Kernel: Packets 557, dropped 0
[69441] 11/6/2019 -- 15:36:57 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#04-ens5f1) Kernel: Packets 565, dropped 0
[69436] 11/6/2019 -- 15:36:57 - (counters.c:849) <Info> (StatsLogSummary) -- Alerts: 2
[69436] 11/6/2019 -- 15:36:59 - (ippair.c:290) <Perf> (IPPairPrintStats) -- ippair memory usage: 414144 bytes, maximum: 16777216
[69436] 11/6/2019 -- 15:37:00 - (host.c:294) <Perf> (HostPrintStats) -- host memory usage: 398144 bytes, maximum: 33554432
[69436] 11/6/2019 -- 15:37:00 - (detect-engine-build.c:1732) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[69436] 11/6/2019 -- 15:37:00 - (util-device.c:337) <Notice> (LiveDeviceListClean) -- Stats for 'ens5f1':  pkts: 30115, drop: 0 (0.00%), invalid chksum: 0
[69436] 11/6/2019 -- 15:37:00 - (util-ioctl.c:502) <Perf> (RestoreIfaceOffloadingLinux) -- ens5f1: restoring gro offloading
[69436] 11/6/2019 -- 15:37:00 - (util-ioctl.c:508) <Perf> (RestoreIfaceOffloadingLinux) -- ens5f1: restoring tso offloading
[69436] 11/6/2019 -- 15:37:00 - (util-ioctl.c:514) <Perf> (RestoreIfaceOffloadingLinux) -- ens5f1: restoring gso offloading
[69436] 11/6/2019 -- 15:37:00 - (util-ioctl.c:520) <Perf> (RestoreIfaceOffloadingLinux) -- ens5f1: restoring sg offloading


grep '"event_type":"alert"' /var/log/suricata/eve.json |jq .
{
  "timestamp": "2019-06-11T15:41:11.302806+0000",
  "flow_id": 2204056077977262,
  "in_iface": "ens5f1",
  "event_type": "alert",
  "src_ip": "6390:dea8:4f10:dea8:4b1c:efaf:63d3:4367",
  "src_port": 38325,
  "dest_ip": "6390:dea8:4f10:dea8:4b1c:efaf:6bd2:ebe9",
  "dest_port": 80,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2210059,
    "rev": 1,
    "signature": "SURICATA STREAM pkt seen on wrong thread",
    "category": "",
    "severity": 3
  },
  "http": {
    "hostname": "suricata-ids.org",
    "url": "/features/all-features/",
    "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0",
    "http_refer": "http://suricata-ids.org/",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "length": 0
  },
  "app_proto": "http",
  "flow": {
    "pkts_toserver": 49,
    "pkts_toclient": 54,
    "bytes_toserver": 9185,
    "bytes_toclient": 3996,
    "start": "2019-06-11T15:41:11.116398+0000"
  },
  "payload": "R0VUIC9mZWF0dXJlcy9hbGwtZmVhdHVyZXMvIEhUVFAvMS4xDQpIb3N0OiBzdXJpY2F0YS1pZHMub3JnDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBVYnVudHU7IExpbnV4IHg4Nl82NDsgcnY6MjguMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8yOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOA0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwOi8vc3VyaWNhdGEtaWRzLm9yZy8NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCklmLU1vZGlmaWVkLVNpbmNlOiBTYXQsIDI5IE1hciAyMDE0IDA5OjQ0OjM0IEdNVA0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0wDQoNCg==",
  "payload_printable": "GET /features/all-features/ HTTP/1.1\r\nHost: suricata-ids.org\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://suricata-ids.org/\r\nConnection: keep-alive\r\nIf-Modified-Since: Sat, 29 Mar 2014 09:44:34 GMT\r\nCache-Control: max-age=0\r\n\r\n",
  "stream": 0,
  "packet": "UlQAEjUCCAAnv0+Kht1gAAAAAccsQGOQ3qhPEN6oSxzvr2PTQ2djkN6oTxDeqEsc769r0uvpBgAAAAAAAACVtQBQTV13uaIWwBZQGCAA82cAAEdFVCAvZmVhdHVyZXMvYWxsLWZlYXR1cmVzLyBIVFRQLzEuMQ0KSG9zdDogc3VyaWNhdGEtaWRzLm9yZw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFgxMTsgVWJ1bnR1OyBMaW51eCB4ODZfNjQ7IHJ2OjI4LjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvMjguMA0KQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KUmVmZXJlcjogaHR0cDovL3N1cmljYXRhLWlkcy5vcmcvDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpJZi1Nb2RpZmllZC1TaW5jZTogU2F0LCAyOSBNYXIgMjAxNCAwOTo0NDozNCBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9MA0KDQo=",
  "packet_info": {
    "linktype": 1
  }
}
{
  "timestamp": "2019-06-11T15:41:14.856841+0000",
  "flow_id": 2204056078179782,
  "in_iface": "ens5f1",
  "event_type": "alert",
  "src_ip": "6390:dea8:4f10:dea8:4b1c:efaf:63d3:4367",
  "src_port": 38325,
  "dest_ip": "6390:dea8:4f10:dea8:4b1c:efaf:6bd2:ebe9",
  "dest_port": 80,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2210059,
    "rev": 1,
    "signature": "SURICATA STREAM pkt seen on wrong thread",
    "category": "",
    "severity": 3
  },
  "http": {
    "hostname": "suricata-ids.org",
    "url": "/features/all-features/",
    "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0",
    "http_refer": "http://suricata-ids.org/",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "length": 0
  },
  "app_proto": "http",
  "flow": {
    "pkts_toserver": 16,
    "pkts_toclient": 12,
    "bytes_toserver": 2900,
    "bytes_toclient": 888,
    "start": "2019-06-11T15:41:14.581062+0000"
  },
  "payload": "R0VUIC9mZWF0dXJlcy9hbGwtZmVhdHVyZXMvIEhUVFAvMS4xDQpIb3N0OiBzdXJpY2F0YS1pZHMub3JnDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBVYnVudHU7IExpbnV4IHg4Nl82NDsgcnY6MjguMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8yOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOA0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwOi8vc3VyaWNhdGEtaWRzLm9yZy8NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCklmLU1vZGlmaWVkLVNpbmNlOiBTYXQsIDI5IE1hciAyMDE0IDA5OjQ0OjM0IEdNVA0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0wDQoNCg==",
  "payload_printable": "GET /features/all-features/ HTTP/1.1\r\nHost: suricata-ids.org\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://suricata-ids.org/\r\nConnection: keep-alive\r\nIf-Modified-Since: Sat, 29 Mar 2014 09:44:34 GMT\r\nCache-Control: max-age=0\r\n\r\n",
  "stream": 0,
  "packet": "UlQAEjUCCAAnv0+Kht1gAAAAAccsQGOQ3qhPEN6oSxzvr2PTQ2djkN6oTxDeqEsc769r0uvpBgAAAAAAAACVtQBQ/////z0uyMhQGCAAFLUAAEdFVCAvZmVhdHVyZXMvYWxsLWZlYXR1cmVzLyBIVFRQLzEuMQ0KSG9zdDogc3VyaWNhdGEtaWRzLm9yZw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFgxMTsgVWJ1bnR1OyBMaW51eCB4ODZfNjQ7IHJ2OjI4LjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvMjguMA0KQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KUmVmZXJlcjogaHR0cDovL3N1cmljYXRhLWlkcy5vcmcvDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpJZi1Nb2RpZmllZC1TaW5jZTogU2F0LCAyOSBNYXIgMjAxNCAwOTo0NDozNCBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9MA0KDQo=",
  "packet_info": {
    "linktype": 1
  }
}



3)

YES - wrong threads/packets counters present 

NIC setup:

rmmod i40e && modprobe i40e
ifconfig ens5f1 down
/usr/local/sbin/ethtool -L ens5f1 combined 36
/usr/local/sbin/ethtool -K ens5f1 rxhash on
/usr/local/sbin/ethtool -K ens5f1 ntuple on
ifconfig ens5f1 up
/opt/i40e/i40e-2.7.29/scripts/set_irq_affinity local ens5f1
/usr/local/sbin/ethtool -X ens5f1 hkey 6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A equal 36

/usr/local/sbin/ethtool -A ens5f1 rx off tx off
/usr/local/sbin/ethtool -C ens5f1 adaptive-rx off adaptive-tx off rx-usecs 125
/usr/local/sbin/ethtool -G ens5f1 rx 1024
ip link set ens5f1 promisc on arp off up
echo 1 > /proc/sys/net/ipv6/conf/ens5f1/disable_ipv6

/usr/local/sbin/ethtool -x ens5f1
/usr/local/sbin/ethtool -n ens5f1

for proto in tcp4 udp4 tcp6 udp6; do
       echo "/usr/local/sbin/ethtool -N ens5f1 rx-flow-hash $proto sdfn"
       /usr/local/sbin/ethtool -N ens5f1 rx-flow-hash $proto sdfn
done

suricata -c /etc/suricata/suricata.yaml -S /opt/wrongthread.rules -vvv  --af-packet


suricata --dump-config |grep af-packet
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = ens5f1
af-packet.0.threads = 18
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_qm
af-packet.0.defrag = yes
af-packet.0.xdp-mode = driver
af-packet.0.xdp-filter-file = /etc/suricata/xdp_filter.bpf
af-packet.0.bypass = yes
af-packet.0.use-mmap = yes
af-packet.0.mmap-locked = yes
af-packet.0.tpacket-v3 = yes
af-packet.0.ring-size = 300000
af-packet.0.block-size = 2097152
af-packet.1 = interface
af-packet.1.interface = ens5f1
af-packet.1.threads = 18
af-packet.1.cluster-id = 99
af-packet.1.cluster-type = cluster_qm
af-packet.1.defrag = yes
af-packet.1.xdp-mode = driver
af-packet.1.xdp-filter-file = /etc/suricata/xdp_filter.bpf
af-packet.1.bypass = yes
af-packet.1.use-mmap = yes
af-packet.1.mmap-locked = yes
af-packet.1.tpacket-v3 = yes
af-packet.1.ring-size = 300000
af-packet.1.block-size = 2097152
af-packet.2 = interface
af-packet.2.interface = default



[70848] 11/6/2019 -- 15:51:02 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 25 flows processed
[70849] 11/6/2019 -- 15:51:02 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 14 flows processed
[70851] 11/6/2019 -- 15:51:02 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 13 flows processed
[70847] 11/6/2019 -- 15:51:02 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 12 flows processed
[70850] 11/6/2019 -- 15:51:02 - (flow-manager.c:947) <Perf> (FlowRecycler) -- 8 flows processed
[70801] 11/6/2019 -- 15:51:02 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#01-ens5f1) Kernel: Packets 0, dropped 0
[70802] 11/6/2019 -- 15:51:03 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#02-ens5f1) Kernel: Packets 0, dropped 0
[70803] 11/6/2019 -- 15:51:03 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#03-ens5f1) Kernel: Packets 0, dropped 0
[70804] 11/6/2019 -- 15:51:03 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#04-ens5f1) Kernel: Packets 0, dropped 0
[70805] 11/6/2019 -- 15:51:03 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#05-ens5f1) Kernel: Packets 9463, dropped 0
[70806] 11/6/2019 -- 15:51:03 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#06-ens5f1) Kernel: Packets 0, dropped 0
[70807] 11/6/2019 -- 15:51:03 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#07-ens5f1) Kernel: Packets 0, dropped 0
[70808] 11/6/2019 -- 15:51:03 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#08-ens5f1) Kernel: Packets 565, dropped 0
[70809] 11/6/2019 -- 15:51:04 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#09-ens5f1) Kernel: Packets 0, dropped 0
[70810] 11/6/2019 -- 15:51:04 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#10-ens5f1) Kernel: Packets 5, dropped 0
[70811] 11/6/2019 -- 15:51:04 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#11-ens5f1) Kernel: Packets 0, dropped 0
[70812] 11/6/2019 -- 15:51:04 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#12-ens5f1) Kernel: Packets 0, dropped 0
[70813] 11/6/2019 -- 15:51:04 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#13-ens5f1) Kernel: Packets 13626, dropped 0
[70814] 11/6/2019 -- 15:51:04 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#14-ens5f1) Kernel: Packets 410, dropped 0
[70815] 11/6/2019 -- 15:51:04 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#15-ens5f1) Kernel: Packets 555, dropped 0
[70816] 11/6/2019 -- 15:51:04 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#16-ens5f1) Kernel: Packets 0, dropped 0
[70817] 11/6/2019 -- 15:51:04 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#17-ens5f1) Kernel: Packets 0, dropped 0
[70818] 11/6/2019 -- 15:51:05 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#18-ens5f1) Kernel: Packets 0, dropped 0
[70820] 11/6/2019 -- 15:51:05 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#01-ens5f1) Kernel: Packets 0, dropped 0
[70821] 11/6/2019 -- 15:51:05 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#02-ens5f1) Kernel: Packets 0, dropped 0
[70822] 11/6/2019 -- 15:51:05 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#03-ens5f1) Kernel: Packets 0, dropped 0
[70823] 11/6/2019 -- 15:51:05 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#04-ens5f1) Kernel: Packets 0, dropped 0
[70824] 11/6/2019 -- 15:51:05 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#05-ens5f1) Kernel: Packets 0, dropped 0
[70825] 11/6/2019 -- 15:51:05 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#06-ens5f1) Kernel: Packets 0, dropped 0
[70826] 11/6/2019 -- 15:51:06 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#07-ens5f1) Kernel: Packets 403, dropped 0
[70827] 11/6/2019 -- 15:51:06 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#08-ens5f1) Kernel: Packets 0, dropped 0
[70828] 11/6/2019 -- 15:51:06 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#09-ens5f1) Kernel: Packets 0, dropped 0
[70829] 11/6/2019 -- 15:51:06 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#10-ens5f1) Kernel: Packets 0, dropped 0
[70830] 11/6/2019 -- 15:51:06 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#11-ens5f1) Kernel: Packets 0, dropped 0
[70831] 11/6/2019 -- 15:51:06 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#12-ens5f1) Kernel: Packets 5090, dropped 0
[70832] 11/6/2019 -- 15:51:06 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#13-ens5f1) Kernel: Packets 0, dropped 0
[70833] 11/6/2019 -- 15:51:06 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#14-ens5f1) Kernel: Packets 0, dropped 0
[70834] 11/6/2019 -- 15:51:06 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#15-ens5f1) Kernel: Packets 0, dropped 0
[70835] 11/6/2019 -- 15:51:07 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#16-ens5f1) Kernel: Packets 0, dropped 0
[70836] 11/6/2019 -- 15:51:07 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#17-ens5f1) Kernel: Packets 0, dropped 0
[70837] 11/6/2019 -- 15:51:07 - (source-af-packet.c:2681) <Perf> (ReceiveAFPThreadExitStats) -- (W#18-ens5f1) Kernel: Packets 0, dropped 0
[70800] 11/6/2019 -- 15:51:07 - (counters.c:849) <Info> (StatsLogSummary) -- Alerts: 4
[70800] 11/6/2019 -- 15:51:10 - (ippair.c:290) <Perf> (IPPairPrintStats) -- ippair memory usage: 414144 bytes, maximum: 16777216
[70800] 11/6/2019 -- 15:51:12 - (host.c:294) <Perf> (HostPrintStats) -- host memory usage: 398144 bytes, maximum: 33554432
[70800] 11/6/2019 -- 15:51:12 - (detect-engine-build.c:1732) <Info> (SigAddressCleanupStage1) -- cleaning up signature grouping structure... complete
[70800] 11/6/2019 -- 15:51:12 - (util-device.c:337) <Notice> (LiveDeviceListClean) -- Stats for 'ens5f1':  pkts: 30117, drop: 0 (0.00%), invalid chksum: 0
[70800] 11/6/2019 -- 15:51:12 - (util-ioctl.c:502) <Perf> (RestoreIfaceOffloadingLinux) -- ens5f1: restoring gro offloading
[70800] 11/6/2019 -- 15:51:12 - (util-ioctl.c:508) <Perf> (RestoreIfaceOffloadingLinux) -- ens5f1: restoring tso offloading
[70800] 11/6/2019 -- 15:51:12 - (util-ioctl.c:514) <Perf> (RestoreIfaceOffloadingLinux) -- ens5f1: restoring gso offloading
[70800] 11/6/2019 -- 15:51:12 - (util-ioctl.c:520) <Perf> (RestoreIfaceOffloadingLinux) -- ens5f1: restoring sg offloading
[70800] 11/6/2019 -- 15:51:12 - (util-device.c:337) <Notice> (LiveDeviceListClean) -- Stats for 'ens5f1':  pkts: 0, drop: 0 (-nan%), invalid chksum: 0



tail -F /var/log/suricata/stats.log  |grep -E "kernel|wrong|memcap|emer|frag"
capture.kernel_packets                        | Total                     | 30114
defrag.ipv4.fragments                         | Total                     | 8760
defrag.ipv4.reassembled                       | Total                     | 132
defrag.ipv6.fragments                         | Total                     | 16740
defrag.ipv6.reassembled                       | Total                     | 107
decoder.event.ipv4.frag_overlap               | Total                     | 4833
decoder.event.ipv6.frag_overlap               | Total                     | 8615
stream.wrong_thread                           | Total                     | 4
tcp.pkt_on_wrong_thread                       | Total                     | 8



grep '"event_type":"alert"' /var/log/suricata/eve.json |jq .alert.signature | sort |uniq -c | sort -rn
      4 "SURICATA STREAM pkt seen on wrong thread"

      
grep '"event_type":"alert"' /var/log/suricata/eve.json |jq .
{
  "timestamp": "2019-06-11T15:47:09.144799+0000",
  "flow_id": 733321860258928,
  "in_iface": "ens5f1",
  "event_type": "alert",
  "src_ip": "6390:dea8:4f10:dea8:4b1c:efaf:63d3:4367",
  "src_port": 38325,
  "dest_ip": "6390:dea8:4f10:dea8:4b1c:efaf:6bd2:ebe9",
  "dest_port": 80,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2210059,
    "rev": 1,
    "signature": "SURICATA STREAM pkt seen on wrong thread",
    "category": "",
    "severity": 3
  },
  "http": {
    "hostname": "suricata-ids.org",
    "url": "/features/all-features/",
    "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0",
    "http_refer": "http://suricata-ids.org/",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "length": 0
  },
  "app_proto": "http",
  "flow": {
    "pkts_toserver": 49,
    "pkts_toclient": 54,
    "bytes_toserver": 9185,
    "bytes_toclient": 3996,
    "start": "2019-06-11T15:47:08.957552+0000"
  },
  "payload": "R0VUIC9mZWF0dXJlcy9hbGwtZmVhdHVyZXMvIEhUVFAvMS4xDQpIb3N0OiBzdXJpY2F0YS1pZHMub3JnDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBVYnVudHU7IExpbnV4IHg4Nl82NDsgcnY6MjguMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8yOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOA0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwOi8vc3VyaWNhdGEtaWRzLm9yZy8NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCklmLU1vZGlmaWVkLVNpbmNlOiBTYXQsIDI5IE1hciAyMDE0IDA5OjQ0OjM0IEdNVA0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0wDQoNCg==",
  "payload_printable": "GET /features/all-features/ HTTP/1.1\r\nHost: suricata-ids.org\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://suricata-ids.org/\r\nConnection: keep-alive\r\nIf-Modified-Since: Sat, 29 Mar 2014 09:44:34 GMT\r\nCache-Control: max-age=0\r\n\r\n",
  "stream": 0,
  "packet": "UlQAEjUCCAAnv0+Kht1gAAAAAccsQGOQ3qhPEN6oSxzvr2PTQ2djkN6oTxDeqEsc769r0uvpBgAAAAAAAACVtQBQTV13uaIWwBZQGCAA82cAAEdFVCAvZmVhdHVyZXMvYWxsLWZlYXR1cmVzLyBIVFRQLzEuMQ0KSG9zdDogc3VyaWNhdGEtaWRzLm9yZw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFgxMTsgVWJ1bnR1OyBMaW51eCB4ODZfNjQ7IHJ2OjI4LjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvMjguMA0KQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KUmVmZXJlcjogaHR0cDovL3N1cmljYXRhLWlkcy5vcmcvDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpJZi1Nb2RpZmllZC1TaW5jZTogU2F0LCAyOSBNYXIgMjAxNCAwOTo0NDozNCBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9MA0KDQo=",
  "packet_info": {
    "linktype": 1
  }
}
{
  "timestamp": "2019-06-11T15:47:12.698297+0000",
  "flow_id": 733321860511114,
  "in_iface": "ens5f1",
  "event_type": "alert",
  "src_ip": "6390:dea8:4f10:dea8:4b1c:efaf:63d3:4367",
  "src_port": 38325,
  "dest_ip": "6390:dea8:4f10:dea8:4b1c:efaf:6bd2:ebe9",
  "dest_port": 80,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2210059,
    "rev": 1,
    "signature": "SURICATA STREAM pkt seen on wrong thread",
    "category": "",
    "severity": 3
  },
  "http": {
    "hostname": "suricata-ids.org",
    "url": "/features/all-features/",
    "http_user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0",
    "http_refer": "http://suricata-ids.org/",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "length": 0
  },
  "app_proto": "http",
  "flow": {
    "pkts_toserver": 16,
    "pkts_toclient": 12,
    "bytes_toserver": 2900,
    "bytes_toclient": 888,
    "start": "2019-06-11T15:47:12.423306+0000"
  },
  "payload": "R0VUIC9mZWF0dXJlcy9hbGwtZmVhdHVyZXMvIEhUVFAvMS4xDQpIb3N0OiBzdXJpY2F0YS1pZHMub3JnDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBVYnVudHU7IExpbnV4IHg4Nl82NDsgcnY6MjguMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8yOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOA0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwOi8vc3VyaWNhdGEtaWRzLm9yZy8NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCklmLU1vZGlmaWVkLVNpbmNlOiBTYXQsIDI5IE1hciAyMDE0IDA5OjQ0OjM0IEdNVA0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0wDQoNCg==",
  "payload_printable": "GET /features/all-features/ HTTP/1.1\r\nHost: suricata-ids.org\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://suricata-ids.org/\r\nConnection: keep-alive\r\nIf-Modified-Since: Sat, 29 Mar 2014 09:44:34 GMT\r\nCache-Control: max-age=0\r\n\r\n",
  "stream": 0,
  "packet": "UlQAEjUCCAAnv0+Kht1gAAAAAccsQGOQ3qhPEN6oSxzvr2PTQ2djkN6oTxDeqEsc769r0uvpBgAAAAAAAACVtQBQ/////z0uyMhQGCAAFLUAAEdFVCAvZmVhdHVyZXMvYWxsLWZlYXR1cmVzLyBIVFRQLzEuMQ0KSG9zdDogc3VyaWNhdGEtaWRzLm9yZw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFgxMTsgVWJ1bnR1OyBMaW51eCB4ODZfNjQ7IHJ2OjI4LjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvMjguMA0KQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KUmVmZXJlcjogaHR0cDovL3N1cmljYXRhLWlkcy5vcmcvDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpJZi1Nb2RpZmllZC1TaW5jZTogU2F0LCAyOSBNYXIgMjAxNCAwOTo0NDozNCBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9MA0KDQo=",
  "packet_info": {
    "linktype": 1
  }
}
{
  "timestamp": "2019-06-11T15:47:23.686408+0000",
  "flow_id": 1635694490131254,
  "in_iface": "ens5f1",
  "event_type": "alert",
  "src_ip": "6390:dea8:4f10:dea8:4b1c:efaf:63d3:4367",
  "src_port": 38325,
  "dest_ip": "6390:dea8:4f10:dea8:4b1c:efaf:6bd2:ebe9",
  "dest_port": 55555,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2210059,
    "rev": 1,
    "signature": "SURICATA STREAM pkt seen on wrong thread",
    "category": "",
    "severity": 3
  },
  "flow": {
    "pkts_toserver": 49,
    "pkts_toclient": 54,
    "bytes_toserver": 9809,
    "bytes_toclient": 3996,
    "start": "2019-06-11T15:47:23.498486+0000"
  },
  "payload": "UkFORE9NIGRhdGEgMTIzNDUgLSAwMDcgU2V4eSBhbmQgWW91IGtub3cgaXQgMDA3R0VUIC9mZWF0dXJlcy9hbGwtZmVhdHVyZXMvIEhUVFAvMS4xDQpIb3N0OiBzdXJpY2F0YS1pZHMub3JnDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBVYnVudHU7IExpbnV4IHg4Nl82NDsgcnY6MjguMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8yOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOA0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwOi8vc3VyaWNhdGEtaWRzLm9yZy8NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCklmLU1vZGlmaWVkLVNpbmNlOiBTYXQsIDI5IE1hciAyMDE0IDA5OjQ0OjM0IEdNVA0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0wDQoNCg==",
  "payload_printable": "RANDOM data 12345 - 007 Sexy and You know it 007GET /features/all-features/ HTTP/1.1\r\nHost: suricata-ids.org\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://suricata-ids.org/\r\nConnection: keep-alive\r\nIf-Modified-Since: Sat, 29 Mar 2014 09:44:34 GMT\r\nCache-Control: max-age=0\r\n\r\n",
  "stream": 0,
  "packet": "UlQAEjUCCAAnv0+Kht1gAAAAAfcsQGOQ3qhPEN6oSxzvr2PTQ2djkN6oTxDeqEsc769r0uvpBgAAAAAAAACVtdkDesO/PMjW+rlQGCAAmSoAAFJBTkRPTSBkYXRhIDEyMzQ1IC0gMDA3IFNleHkgYW5kIFlvdSBrbm93IGl0IDAwN0dFVCAvZmVhdHVyZXMvYWxsLWZlYXR1cmVzLyBIVFRQLzEuMQ0KSG9zdDogc3VyaWNhdGEtaWRzLm9yZw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFgxMTsgVWJ1bnR1OyBMaW51eCB4ODZfNjQ7IHJ2OjI4LjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvMjguMA0KQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KUmVmZXJlcjogaHR0cDovL3N1cmljYXRhLWlkcy5vcmcvDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpJZi1Nb2RpZmllZC1TaW5jZTogU2F0LCAyOSBNYXIgMjAxNCAwOTo0NDozNCBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9MA0KDQo=",
  "packet_info": {
    "linktype": 1
  }
}
{
  "timestamp": "2019-06-11T15:47:27.537840+0000",
  "flow_id": 1635694490383768,
  "in_iface": "ens5f1",
  "event_type": "alert",
  "src_ip": "6390:dea8:4f10:dea8:4b1c:efaf:63d3:4367",
  "src_port": 38325,
  "dest_ip": "6390:dea8:4f10:dea8:4b1c:efaf:6bd2:ebe9",
  "dest_port": 55555,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2210059,
    "rev": 1,
    "signature": "SURICATA STREAM pkt seen on wrong thread",
    "category": "",
    "severity": 3
  },
  "flow": {
    "pkts_toserver": 16,
    "pkts_toclient": 12,
    "bytes_toserver": 3092,
    "bytes_toclient": 888,
    "start": "2019-06-11T15:47:27.226712+0000"
  },
  "payload": "UkFORE9NIGRhdGEgMTIzNDUgLSAwMDcgU2V4eSBhbmQgWW91IGtub3cgaXQgMDA3R0VUIC9mZWF0dXJlcy9hbGwtZmVhdHVyZXMvIEhUVFAvMS4xDQpIb3N0OiBzdXJpY2F0YS1pZHMub3JnDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBVYnVudHU7IExpbnV4IHg4Nl82NDsgcnY6MjguMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8yOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOA0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwOi8vc3VyaWNhdGEtaWRzLm9yZy8NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCklmLU1vZGlmaWVkLVNpbmNlOiBTYXQsIDI5IE1hciAyMDE0IDA5OjQ0OjM0IEdNVA0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0wDQoNCg==",
  "payload_printable": "RANDOM data 12345 - 007 Sexy and You know it 007GET /features/all-features/ HTTP/1.1\r\nHost: suricata-ids.org\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://suricata-ids.org/\r\nConnection: keep-alive\r\nIf-Modified-Since: Sat, 29 Mar 2014 09:44:34 GMT\r\nCache-Control: max-age=0\r\n\r\n",
  "stream": 0,
  "packet": "UlQAEjUCCAAnv0+Kht1gAAAAAfcsQGOQ3qhPEN6oSxzvr2PTQ2djkN6oTxDeqEsc769r0uvpBgAAAAAAAACVtdkD/////3fJK1pQGCAA85cAAFJBTkRPTSBkYXRhIDEyMzQ1IC0gMDA3IFNleHkgYW5kIFlvdSBrbm93IGl0IDAwN0dFVCAvZmVhdHVyZXMvYWxsLWZlYXR1cmVzLyBIVFRQLzEuMQ0KSG9zdDogc3VyaWNhdGEtaWRzLm9yZw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFgxMTsgVWJ1bnR1OyBMaW51eCB4ODZfNjQ7IHJ2OjI4LjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvMjguMA0KQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KUmVmZXJlcjogaHR0cDovL3N1cmljYXRhLWlkcy5vcmcvDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpJZi1Nb2RpZmllZC1TaW5jZTogU2F0LCAyOSBNYXIgMjAxNCAwOTo0NDozNCBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9MA0KDQo=",
  "packet_info": {
    "linktype": 1
  }
}


echo -n 'UlQAEjUCCAAnv0+Kht1gAAAAAfcsQGOQ3qhPEN6oSxzvr2PTQ2djkN6oTxDeqEsc769r0uvpBgAAAAAAAACVtdkD/////3fJK1pQGCAA85cAAFJBTkRPTSBkYXRhIDEyMzQ1IC0gMDA3IFNleHkgYW5kIFlvdSBrbm93IGl0IDAwN0dFVCAvZmVhdHVyZXMvYWxsLWZlYXR1cmVzLyBIVFRQLzEuMQ0KSG9zdDogc3VyaWNhdGEtaWRzLm9yZw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFgxMTsgVWJ1bnR1OyBMaW51eCB4ODZfNjQ7IHJ2OjI4LjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvMjguMA0KQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KUmVmZXJlcjogaHR0cDovL3N1cmljYXRhLWlkcy5vcmcvDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpJZi1Nb2RpZmllZC1TaW5jZTogU2F0LCAyOSBNYXIgMjAxNCAwOTo0NDozNCBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9MA0KDQo=' | base64 -d | hexdump -C
00000000  52 54 00 12 35 02 08 00  27 bf 4f 8a 86 dd 60 00  |RT..5...'.O...`.|
00000010  00 00 01 f7 2c 40 63 90  de a8 4f 10 de a8 4b 1c  |....,@c...O...K.|
00000020  ef af 63 d3 43 67 63 90  de a8 4f 10 de a8 4b 1c  |..c.Cgc...O...K.|
00000030  ef af 6b d2 eb e9 06 00  00 00 00 00 00 00 95 b5  |..k.............|
00000040  d9 03 ff ff ff ff 77 c9  2b 5a 50 18 20 00 f3 97  |......w.+ZP. ...|
00000050  00 00 52 41 4e 44 4f 4d  20 64 61 74 61 20 31 32  |..RANDOM data 12|
00000060  33 34 35 20 2d 20 30 30  37 20 53 65 78 79 20 61  |345 - 007 Sexy a|
00000070  6e 64 20 59 6f 75 20 6b  6e 6f 77 20 69 74 20 30  |nd You know it 0|
00000080  30 37 47 45 54 20 2f 66  65 61 74 75 72 65 73 2f  |07GET /features/|
00000090  61 6c 6c 2d 66 65 61 74  75 72 65 73 2f 20 48 54  |all-features/ HT|
000000a0  54 50 2f 31 2e 31 0d 0a  48 6f 73 74 3a 20 73 75  |TP/1.1..Host: su|
000000b0  72 69 63 61 74 61 2d 69  64 73 2e 6f 72 67 0d 0a  |ricata-ids.org..|
000000c0  55 73 65 72 2d 41 67 65  6e 74 3a 20 4d 6f 7a 69  |User-Agent: Mozi|
000000d0  6c 6c 61 2f 35 2e 30 20  28 58 31 31 3b 20 55 62  |lla/5.0 (X11; Ub|
000000e0  75 6e 74 75 3b 20 4c 69  6e 75 78 20 78 38 36 5f  |untu; Linux x86_|
000000f0  36 34 3b 20 72 76 3a 32  38 2e 30 29 20 47 65 63  |64; rv:28.0) Gec|
00000100  6b 6f 2f 32 30 31 30 30  31 30 31 20 46 69 72 65  |ko/20100101 Fire|
00000110  66 6f 78 2f 32 38 2e 30  0d 0a 41 63 63 65 70 74  |fox/28.0..Accept|
00000120  3a 20 74 65 78 74 2f 68  74 6d 6c 2c 61 70 70 6c  |: text/html,appl|
00000130  69 63 61 74 69 6f 6e 2f  78 68 74 6d 6c 2b 78 6d  |ication/xhtml+xm|
00000140  6c 2c 61 70 70 6c 69 63  61 74 69 6f 6e 2f 78 6d  |l,application/xm|
00000150  6c 3b 71 3d 30 2e 39 2c  2a 2f 2a 3b 71 3d 30 2e  |l;q=0.9,*/*;q=0.|
00000160  38 0d 0a 41 63 63 65 70  74 2d 4c 61 6e 67 75 61  |8..Accept-Langua|
00000170  67 65 3a 20 65 6e 2d 55  53 2c 65 6e 3b 71 3d 30  |ge: en-US,en;q=0|
00000180  2e 35 0d 0a 41 63 63 65  70 74 2d 45 6e 63 6f 64  |.5..Accept-Encod|
00000190  69 6e 67 3a 20 67 7a 69  70 2c 20 64 65 66 6c 61  |ing: gzip, defla|
000001a0  74 65 0d 0a 52 65 66 65  72 65 72 3a 20 68 74 74  |te..Referer: htt|
000001b0  70 3a 2f 2f 73 75 72 69  63 61 74 61 2d 69 64 73  |p://suricata-ids|
000001c0  2e 6f 72 67 2f 0d 0a 43  6f 6e 6e 65 63 74 69 6f  |.org/..Connectio|
000001d0  6e 3a 20 6b 65 65 70 2d  61 6c 69 76 65 0d 0a 49  |n: keep-alive..I|
000001e0  66 2d 4d 6f 64 69 66 69  65 64 2d 53 69 6e 63 65  |f-Modified-Since|
000001f0  3a 20 53 61 74 2c 20 32  39 20 4d 61 72 20 32 30  |: Sat, 29 Mar 20|
00000200  31 34 20 30 39 3a 34 34  3a 33 34 20 47 4d 54 0d  |14 09:44:34 GMT.|
00000210  0a 43 61 63 68 65 2d 43  6f 6e 74 72 6f 6c 3a 20  |.Cache-Control: |
00000220  6d 61 78 2d 61 67 65 3d  30 0d 0a 0d 0a           |max-age=0....|
0000022d


4)

YES - wrong threads/packets counters present 

Only diff between the previous one and this one is that the "af-packet.0.defrag = no" and "af-packet.1.defrag = no" - same results.

NIC setup:


rmmod i40e && modprobe i40e
ifconfig ens5f1 down
/usr/local/sbin/ethtool -L ens5f1 combined 36
/usr/local/sbin/ethtool -K ens5f1 rxhash on
/usr/local/sbin/ethtool -K ens5f1 ntuple on
ifconfig ens5f1 up
/opt/i40e/i40e-2.7.29/scripts/set_irq_affinity local ens5f1
/usr/local/sbin/ethtool -X ens5f1 hkey 6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A equal 36

/usr/local/sbin/ethtool -A ens5f1 rx off tx off
/usr/local/sbin/ethtool -C ens5f1 adaptive-rx off adaptive-tx off rx-usecs 125
/usr/local/sbin/ethtool -G ens5f1 rx 1024
ip link set ens5f1 promisc on arp off up
echo 1 > /proc/sys/net/ipv6/conf/ens5f1/disable_ipv6

/usr/local/sbin/ethtool -x ens5f1
/usr/local/sbin/ethtool -n ens5f1

for proto in tcp4 udp4 tcp6 udp6; do
       echo "/usr/local/sbin/ethtool -N ens5f1 rx-flow-hash $proto sdfn"
       /usr/local/sbin/ethtool -N ens5f1 rx-flow-hash $proto sdfn
done

suricata -c /etc/suricata/suricata.yaml -S /opt/wrongthread.rules -vvv  --af-packet


suricata --dump-config |grep af-packet
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = ens5f1
af-packet.0.threads = 18
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_qm
af-packet.0.defrag = no
af-packet.0.xdp-mode = driver
af-packet.0.xdp-filter-file = /etc/suricata/xdp_filter.bpf
af-packet.0.bypass = yes
af-packet.0.use-mmap = yes
af-packet.0.mmap-locked = yes
af-packet.0.tpacket-v3 = yes
af-packet.0.ring-size = 300000
af-packet.0.block-size = 2097152
af-packet.1 = interface
af-packet.1.interface = ens5f1
af-packet.1.threads = 18
af-packet.1.cluster-id = 99
af-packet.1.cluster-type = cluster_qm
af-packet.1.defrag = no
af-packet.1.xdp-mode = driver
af-packet.1.xdp-filter-file = /etc/suricata/xdp_filter.bpf
af-packet.1.bypass = yes
af-packet.1.use-mmap = yes
af-packet.1.mmap-locked = yes
af-packet.1.tpacket-v3 = yes
af-packet.1.ring-size = 300000
af-packet.1.block-size = 2097152
af-packet.2 = interface
af-packet.2.interface = default

tail -F /var/log/suricata/stats.log  |grep -E "kernel|wrong|memcap|emer|frag"
capture.kernel_packets                        | Total                     | 30114
defrag.ipv4.fragments                         | Total                     | 8760
defrag.ipv4.reassembled                       | Total                     | 132
defrag.ipv6.fragments                         | Total                     | 16740
defrag.ipv6.reassembled                       | Total                     | 107
decoder.event.ipv4.frag_overlap               | Total                     | 4833
decoder.event.ipv6.frag_overlap               | Total                     | 8615
stream.wrong_thread                           | Total                     | 4
tcp.pkt_on_wrong_thread                       | Total                     | 8

### Reproducible Test ####

