NFQUEUE

1
cat /proc/net/netfilter/nfnetlink_queue

1. queue number
2. peer portid: good chance it is process ID of software listening to the queue
3. queue total: current number of packets waiting in the queue
4. copy mode: 0 and 1 only message only provide meta data. If 2 message provide a part of packet of size copy range.
5. copy range: length of packet data to put in message
6. queue dropped: number of packets dropped because queue was full
7. user dropped: number of packets dropped because netlink message could not be sent to userspace. If this counter is not zero, try to increase netlink buffer size. On the application side, you will see gap in packet id if netlink message are lost.
8. id sequence: packet id of last packet

refer to:

Using NFQUEUE and libnetfilter_queue


https://www.jianshu.com/p/ee728683a0ed
https://www.netfilter.org/projects/libnetfilter_queue
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Runmodes
https://suricata.readthedocs.io/en/suricata-6.0.2/