[Oisf-users] Strange stats about packets dropped

C. L. Martinez carlopmart at gmail.com
Wed Aug 26 06:34:03 UTC 2015 

Hi all,

 I have installed Suricata 2.0.8 in a Debian 8.1 amd64 (fully patched)
with PF-RING 6.0.3 and it is a vm installed in a CentOS 6.7 x86_64 kvm
host (fully patched also).

 And the problem is with dropped packets. According to Suricata stats:

25/8/2015 -- 13:04:36 - <Notice> - all 2 packet processing threads, 3
management threads initialized, engine started.
25/8/2015 -- 13:04:36 - <Info> - No packets with invalid checksum,
assuming checksum offloading is NOT used
25/8/2015 -- 13:04:36 - <Info> - No packets with invalid checksum,
assuming checksum offloading is NOT used
26/8/2015 -- 00:13:01 - <Notice> - Signal Received.  Stopping engine.
26/8/2015 -- 00:13:01 - <Info> - 0 new flows, 0 established flows were
timed out, 0 flows in closed state
26/8/2015 -- 00:13:01 - <Info> - time elapsed 40105.898s
26/8/2015 -- 00:13:01 - <Info> - (RxPcapeth21) Packets 10904594, bytes
6378249116
26/8/2015 -- 00:13:01 - <Info> - (RxPcapeth21) Pcap Total:10904594
Recv:18446744073701171151 Drop:19285059 (176.9%).
26/8/2015 -- 00:13:01 - <Info> - Stream TCP processed 10879967 TCP packets
26/8/2015 -- 00:13:01 - <Info> - Fast log output wrote 5 alerts
26/8/2015 -- 00:13:01 - <Info> - Alert unified2 module wrote 5 alerts
26/8/2015 -- 00:13:01 - <Info> - HTTP logger logged 22660 requests
26/8/2015 -- 00:13:01 - <Info> - (RxPcapeth22) Packets 10931434, bytes
6394457250
26/8/2015 -- 00:13:01 - <Info> - (RxPcapeth22) Pcap Total:10931434
Recv:18446744073701224831 Drop:19258219 (176.2%).
26/8/2015 -- 00:13:01 - <Info> - Stream TCP processed 10882482 TCP packets
26/8/2015 -- 00:13:01 - <Info> - Fast log output wrote 5 alerts
26/8/2015 -- 00:13:01 - <Info> - HTTP logger logged 19303 requests
26/8/2015 -- 00:13:01 - <Info> - TCP segment pool of size 65535 had a
peak use of 590 segments, more than the prealloc setting of 512
26/8/2015 -- 00:13:01 - <Info> - host memory usage: 390144 bytes,
maximum: 16777216
26/8/2015 -- 00:13:01 - <Info> - Dumping profiling data for 13302 rules.
26/8/2015 -- 00:13:01 - <Info> - Done dumping profiling data.
26/8/2015 -- 00:13:01 - <Info> - file
/nsm/logs/idpsuricata01/keyword_perf.log mode a
26/8/2015 -- 00:13:01 - <Info> - Done dumping keyword profiling data.
26/8/2015 -- 00:13:02 - <Info> - cleaning up signature grouping
structure... complete
26/8/2015 -- 00:13:02 - <Notice> - Stats for 'eth2':  pkts: 21836028,
drop: 19258219 (88.19%), invalid chksum: 0
26/8/2015 -- 00:13:02 - <Info> - Done dumping profiling data.


I don't understand this:

(RxPcapeth22) Pcap Total:10931434 Recv:18446744073701224831
Drop:19258219 (176.2%)

Any idea??

Suricata command line is:

suricata -c /data/config/etc/idpsuricata01/suricata.yaml -D -F
/data/config/etc/idpsuricata01/bpf.conf -i eth2

As you can see, I am not using pfring or af-packet, only pcap. And it
is strange, because using snort in the same machine, dropped packets
are 5% ....

More information about the Oisf-users mailing list