Hi,

It is recommended to maximize the buffers for both rx and tx to prevent packet drops. The script currently only sets a fixed buffer size of 4096 for rx. Line 26 should look like this:
/sbin/ethtool -G $IFACE rx 4096 tx 4096 >/dev/null 2>&1 ;

See here (network card config): https://github.com/aol/moloch/wiki/FAQ#why-am-i-dropping-packets

It would be even better to probe the network card compatibility and dynamically alter the buffer size accordingly (a bit ugly but it works):

RXBUFSIZE=$(ethtool -g $IFACE | grep -m1 RX: | grep -o '[[:digit:]]')
TXBUFSIZE=$(ethtool -g $IFACE | grep -m1 TX: | grep -o '[[:digit:]]')
/sbin/ethtool -G $IFACE rx $RXBUFSIZE tx $TXBUFSIZE >/dev/null 2>&1 ;

Cheers,
Jeroen Rijken

You mean - in case it is needed to send out / aka if we do IPS mode?

I'll be honest, I was just following that guide and noticed that SELKS didn't set that buffer. But I guess yes when doing IPS mode. It is also (more or less) mentioned in the Suricata manual: https://suricata.readthedocs.io/en/latest/performance/packet-capture.html#recommendations
Chances are you know more about it than I do, just thought I should mention it.

Closing stale issue.