[Oisf-users] Clarification on dropped packet counters

Fernando Ortiz fernando.ortiz.f at gmail.com
Wed Aug 10 20:31:40 UTC 2011 

Thank you both for the answers. There is an option in suricata.yaml
"checksum_validation: yes #Validate packet checksum, reject packets with
invalid checksums."

Are Wrong checksums packets dropped and registered by
(ReceivePcapThreadExitStats)or (ReceiveNFQThreadExitStats)?
I guess no, because if that's the case, they shouldn't pass through Suricata
and that option wouldn't make sense.

Excuse me please if I am going around circles with this question, I am very
confused with what dropped packets are exactly registered when Suricata
stops, and these are my indicatives to measure how reliable is Suricata in
my network.

Regards,

Fernando

2011/8/10 Gene Albin <gene.albin at gmail.com>

> Fernando,
>   I think the difference is where the packets are dropped.  (please correct
> me if I'm wrong).  Drops from the memcap counters are because too few memory
> resources have been assigned to the suricata engine, therefore the memory
> buffer fills and Suricata drops the packet.  On the other hand, the dropped
> packets reported by (ReceivePcapThreadExitStats)are dropped at the pcap
> level, before it even gets into Suricata.  Indicative, I think, of a problem
> in the OS or the hardware, but not in Suricata.
>
>   Any sage advice from those who know what they're talking about?
>
> Gene
>
> On Wed, Aug 10, 2011 at 12:36 PM, Will Metcalf <william.metcalf at gmail.com>wrote:
>
>> > Will, I have a question. Is the number in dropped packets registered
>> wher
>> > Suricata stops is independent of the number of packets drops by
>> memcap_drops
>> > in stats.log?
>>
>> Yes
>>
>> On Wed, Aug 10, 2011 at 2:34 PM, Fernando Ortiz
>> <fernando.ortiz.f at gmail.com> wrote:
>> > Will, I have a question. Is the number in dropped packets registered
>> wher
>> > Suricata stops is independent of the number of packets drops by
>> memcap_drops
>> > in stats.log?
>> >
>> > Cheers,
>> > Fernando
>> >
>>
>
>
> --
> Gene Albin
> gene.albin at gmail.com
>
>


-- 
Fernando Ortiz
Twitter: http://twitter.com/FernandOrtizF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110810/40945461/attachment-0002.html>

More information about the Oisf-users mailing list