[Oisf-devel] Incorrect packet stats in pcap and pf_ring capture modes

Peter Manev petermanev at gmail.com
Mon Oct 3 08:31:42 UTC 2016

On Fri, Sep 16, 2016 at 10:50 PM, m1234dm1234n1234 .
<brainbug123 at gmail.com> wrote:
> Hi,
> In high networking load i noticed that packet dropped stats went above 100%.
> I get stats like this one in example:
> pkts :  250833
> drop : 749860
> drop % : 298,95%
> What got me suspicious since i sent exactly 1M packets to Suricata, and the sum of those 2 numbers is around that 1M.
> Both pcap and pf_ring modes are affected.
> Looking through source-pcap.c file, in lines 661-663 i found next formula :
> SCLogInfo("(%s) Pcap Total:%" PRIu64 " Recv:%" PRIu64 " Drop:%" PRIu64 " (%02.1f%%).", tv->name,
> (uint64_t)pcap_s.ps_recv, (uint64_t)pcap_s.ps_recv - (uint64_t)pcap_s.ps_drop, (uint64_t)pcap_s.ps_drop,
> (((float)(uint64_t)pcap_s.ps_drop)/(float)(uint64_t)pcap_s.ps_recv)*100);
> Lurking some more i found this old patch from 2011 that I think solves those stats issues where the drop% is calculated on the sum of those 2 values,yet here is not implemented.
> https://redmine.openinfosecfoundation.org/attachments/628/0001-Fix-for-silly-pcap-counters-mistake-made-by-me.-ps_r.patch
> Any reason why ?

I had a discussion with a number of ppl with regards to the above.
It seems there are could be a few dependencies and variations of the
calculations in general (not just suricata) - depending on kernel
version (for pcap specifically) and some more depending on Intel
driver versions (possibly affecting capture modes like netmap and

When talking to Jason about it - I think a sane good idea came up - we
should document that (as a first step) and decide how we should handle
that - supporting every variation or making sure it is documented.

Can you please open a support ticket I guess? Since i believe this
needs more investigation.

> P.S. AF-Packet correctly reports 1M total received on the NIC and drop% is correct, at least it looks ok.
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/

Peter Manev

More information about the Oisf-devel mailing list