For usability, Retina would benefit from better documentation for a few things that we have found to be confusing for users:
Cross-layer interactions can be tricky to understand. For example, if a filter has session-level semantics but packets are requested, then only the packets from the session -- not the whole connection -- are delivered.
The port statistics (good, ingress, process) can be non-intuitive. Ingress = packets that hit the NIC; good = after HW filter and CRC checking; process = hitting cores running RX loop (excluding sink core).
Reassembly may not always lead to expected behavior when tracking connection statistics. E.g., filtering for "tls" will track connection statistics post-reassembly until the protocol is identified, then pre-reassembly.
For usability, Retina would benefit from better documentation for a few things that we have found to be confusing for users:
Cross-layer interactions can be tricky to understand. For example, if a filter has session-level semantics but packets are requested, then only the packets from the session -- not the whole connection -- are delivered.
Regular expressions follow the https://crates.io/crates/regex semantics.
The port statistics (good, ingress, process) can be non-intuitive. Ingress = packets that hit the NIC; good = after HW filter and CRC checking; process = hitting cores running RX loop (excluding sink core).
Reassembly may not always lead to expected behavior when tracking connection statistics. E.g., filtering for "tls" will track connection statistics post-reassembly until the protocol is identified, then pre-reassembly.