<div dir="ltr">In a test run the suricata is reporting in the stats.log file a larger number of decoded packets than captured:<div><br></div><div><div>$ cat /var/log/suricata/stats.log  | grep "kernel_packets\|decoder.pkt" | tail -8</div>
<div>capture.kernel_packets    | RxAFP1                    | 207491</div><div>decoder.pkts                   | RxAFP1                    | 207901</div><div>capture.kernel_packets    | RxAFP2                    | 197046</div>
<div>decoder.pkts                   | RxAFP2                    | 197731</div><div>capture.kernel_packets    | RxAFP3                    | 197980</div><div>decoder.pkts                   | RxAFP3                    | 198568</div>
<div>capture.kernel_packets    | RxAFP4                    | 213311</div><div>decoder.pkts                   | RxAFP4                    | 214289</div></div><div style>total captured = 815828<span class="" style="white-space:pre">    </span></div>
<div style>total decoded = 818489</div><div><br></div><div style>in which cases can this happen ?</div><div style><br></div><div style>Thanks </div><div style><br></div><div style>Ted</div></div>