[Oisf-devel] Incorrect packet stats in pcap and pf_ring capture modes
m1234dm1234n1234 .
brainbug123 at gmail.com
Fri Sep 16 20:50:11 UTC 2016
Hi,
In high networking load i noticed that packet dropped stats went above 100%.
I get stats like this one in example:
pkts : 250833
drop : 749860
drop % : 298,95%
What got me suspicious since i sent exactly 1M packets to Suricata, and the
sum of those 2 numbers is around that 1M.
Both pcap and pf_ring modes are affected.
Looking through source-pcap.c file, in lines 661-663 i found next formula :
SCLogInfo("(%s) Pcap Total:%" PRIu64 " Recv:%" PRIu64 " Drop:%" PRIu64 " (
%02.1f%%).", tv->name,
(uint64_t)pcap_s.ps_recv, (uint64_t)pcap_s.ps_recv - (uint64_t)pcap_s.
ps_drop, (uint64_t)pcap_s.ps_drop,
(((float)(uint64_t)pcap_s.ps_drop)/(float)(uint64_t)pcap_s.ps_recv)*100);
Lurking some more i found this old patch from 2011 that I think solves
those stats issues where the drop% is calculated on the sum of those 2
values,yet here is not implemented.
https://redmine.openinfosecfoundation.org/attachments/628/0001-Fix-for-silly-pcap-counters-mistake-made-by-me.-ps_r.patch
Any reason why ?
P.S. AF-Packet correctly reports 1M total received on the NIC and drop% is
correct, at least it looks ok.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20160916/9fd5b9fe/attachment.html>
More information about the Oisf-devel
mailing list