<div dir="ltr"><div><div><div><div><div><div><div>Hi,<br><br>In high networking load i noticed that packet dropped stats went above 100%.<br></div>I get stats like this one in example:<br><br>
  pkts
: 
  250833
<br>
  drop
  : 749860
<br>
  drop %
  : 298,95%
<br><br></div>What got me suspicious since i sent exactly 1M packets to Suricata, and the sum of those 2 numbers is around that 1M.<br><br></div>Both pcap and pf_ring modes are affected. <br></div>Looking through source-pcap.c file, in lines 661-663 i found next formula :<br><br> <br>        <span class="gmail-pl-c1">SCLogInfo</span>(<span class="gmail-pl-s"><span class="gmail-pl-pds">"</span>(<span class="gmail-pl-c1">%s</span>) Pcap Total:<span class="gmail-pl-ii">%</span><span class="gmail-pl-pds">"</span></span> PRIu64 <span class="gmail-pl-s"><span class="gmail-pl-pds">"</span> Recv:<span class="gmail-pl-ii">%</span><span class="gmail-pl-pds">"</span></span> PRIu64 <span class="gmail-pl-s"><span class="gmail-pl-pds">"</span> Drop:<span class="gmail-pl-ii">%</span><span class="gmail-pl-pds">"</span></span> PRIu64 <span class="gmail-pl-s"><span class="gmail-pl-pds">"</span> (<span class="gmail-pl-c1">%02.1f%%</span>).<span class="gmail-pl-pds">"</span></span>, tv->name,
      
      
        <table class="gmail-highlight gmail-tab-size gmail-js-file-line-container"><tbody><tr><td id="gmail-LC662" class="gmail-blob-code gmail-blob-code-inner gmail-js-file-line">        (<span class="gmail-pl-c1">uint64_t</span>)pcap_s.<span class="gmail-pl-smi">ps_recv</span>, (<span class="gmail-pl-c1">uint64_t</span>)pcap_s.<span class="gmail-pl-smi">ps_recv</span> - (<span class="gmail-pl-c1">uint64_t</span>)pcap_s.<span class="gmail-pl-smi">ps_drop</span>, (<span class="gmail-pl-c1">uint64_t</span>)pcap_s.<span class="gmail-pl-smi">ps_drop</span>,</td>
      </tr>
      <tr>
        </tr></tbody></table>        (((<span class="gmail-pl-k">float</span>)(<span class="gmail-pl-c1">uint64_t</span>)pcap_s.<span class="gmail-pl-smi">ps_drop</span>)/(<span class="gmail-pl-k">float</span>)(<span class="gmail-pl-c1">uint64_t</span>)pcap_s.<span class="gmail-pl-smi">ps_recv</span>)*<span class="gmail-pl-c1">100</span>);<br><br><br></div>Lurking some more i found this old patch from 2011 that I think solves those stats issues where the drop% is calculated on the sum of those 2 values,yet here is not implemented.<br><br><a href="https://redmine.openinfosecfoundation.org/attachments/628/0001-Fix-for-silly-pcap-counters-mistake-made-by-me.-ps_r.patch">https://redmine.openinfosecfoundation.org/attachments/628/0001-Fix-for-silly-pcap-counters-mistake-made-by-me.-ps_r.patch</a><br><br></div>Any reason why ?<br><br></div>P.S. AF-Packet correctly reports 1M total received on the NIC and drop% is correct, at least it looks ok.<br></div>