[Oisf-users] more packets decoded than captured

[Victor Julien]

On 07/05/2013 03:16 AM, Theodore Elhourani wrote:
> In a test run the suricata is reporting in the stats.log file a larger
> number of decoded packets than captured:
> 
> $ cat /var/log/suricata/stats.log  | grep "kernel_packets\|decoder.pkt"
> | tail -8
> capture.kernel_packets    | RxAFP1                    | 207491
> decoder.pkts                   | RxAFP1                    | 207901
> capture.kernel_packets    | RxAFP2                    | 197046
> decoder.pkts                   | RxAFP2                    | 197731
> capture.kernel_packets    | RxAFP3                    | 197980
> decoder.pkts                   | RxAFP3                    | 198568
> capture.kernel_packets    | RxAFP4                    | 213311
> decoder.pkts                   | RxAFP4                    | 214289
> total captured = 815828
> total decoded = 818489
> 
> in which cases can this happen ?

It's likely that you have some tunneled packets, like teredo or
ipv6-in-ipv4 or one of the other tunnel types we support. The nested
packet(s) are treated as new & unqiue packets in Suricata.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------