[Oisf-users] Clarification on dropped packet counters

[Gene Albin]

I'm trying to make sense out of the various packet metrics in the
suricata.log and stats.log files.  Can anyone shed light on what
specifically each of these counters is measuring?

suricata.log:
[4947] 8/8/2011 -- 14:50:31 - (source-pcap.c:561) <Info>
(ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 238097983, bytes
182382168249
[4947] 8/8/2011 -- 14:50:31 - (source-pcap.c:569) <Info>
(ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:539841804
Recv:388969943
Drop:150871861 (27.9%).

Looking at these two lines from suricata.log it looks like the pcap engine
received a total of 238 million packets AND 388 million packets.  Also,
notice how the difference between 539M and 388M is 150M AND the difference
between 388M and 238M is also 150M.  I checked another set of suricata.log
and stats.log files I have and found that this relationship between Recv and
Drop, and Packets and Drop appears the be the same in that file.

What specifically are each of these metrics measuring and from where are the
measurements taken (nic, pcap, suricata)?
What is the relationship between these numbers?

Stats.log:
decoder.pkts              | Decode & Stream   | 238097982
tcp.ssn_memcap_drop       | Decode & Stream   | 299435
tcp.segment_memcap_drop   | Decode & Stream   | 31445861

In stats.log the decoder.pkts line matches up with the (ReceivePcap)
Packets line
in the suricata.log file.  What about these memcap drop lines?  They don't
seem to match up with the drop counter in suricata.log leading me to believe
that these are packets dropped by Suricata and are independent of the ones
in the suricata.log file.

Sure would appreciate any insight into the differences between these
metrics.  I'm just a bit confused.

Thanks,
-- 
Gene Albin
gene.albin at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110809/6c3e7955/attachment-0002.html>