Bug #1918
Updated by Victor Julien over 7 years ago
In high networking load i noticed that packet dropped stats went above 100%. I get stats like this one in example: pkts : 250833 drop : 749860 drop % : 298,95% What got me suspicious since i sent exactly 1M packets to Suricata, and the sum of those 2 numbers is around that 1M. Both pcap and pf_ring modes are affected. Looking through source-pcap.c file, in lines 661-663 i found next formula : <pre> SCLogInfo("(%s) Pcap Total:%" PRIu64 " Recv:%" PRIu64 " Drop:%" PRIu64 " ( %02.1f%%).", tv->name, (uint64_t)pcap_s.ps_recv, (uint64_t)pcap_s.ps_recv - (uint64_t)pcap_s. ps_drop, (uint64_t)pcap_s.ps_drop, (((float)(uint64_t)pcap_s.ps_drop)/(float)(uint64_t)pcap_s.ps_recv)*100); </pre> Lurking some more i found this old patch from 2011 that I think solves those stats issues where the drop% is calculated on the sum of those 2 values,yet here is not implemented. https://redmine.openinfosecfoundation.org/attachments/628/0001-Fix-for-silly-pcap-counters-mistake-made-by-me.-ps_r.patch P.S. AF-Packet correctly reports 1M total received on the NIC and drop% is correct, at least it looks ok.