From 1869688fb8b3577d224ee3651827bde894000d3e Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Tue, 31 Dec 2013 16:13:50 +0100 Subject: [PATCH] af-packet: fix live device counter usage Live device counter was in fact the number of packets seen by suricata and not the total number of packet reported by kernel. This patch fixes this by using counter provided by kernel instead. The counter is Clear On Read, so by adding the value fetch at each call and earch sockets we get the number of packets and drops for the interface. --- src/source-af-packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/source-af-packet.c b/src/source-af-packet.c index befdb0ed33..a0de99edc3 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -493,6 +493,7 @@ static inline void AFPDumpCounters(AFPThreadVars *ptv) SCPerfCounterAddUI64(ptv->capture_kernel_packets, ptv->tv->sc_perf_pca, kstats.tp_packets); SCPerfCounterAddUI64(ptv->capture_kernel_drops, ptv->tv->sc_perf_pca, kstats.tp_drops); (void) SC_ATOMIC_ADD(ptv->livedev->drop, kstats.tp_drops); + (void) SC_ATOMIC_ADD(ptv->livedev->pkts, kstats.tp_packets); } #endif } @@ -561,7 +562,6 @@ int AFPRead(AFPThreadVars *ptv) ptv->pkts++; ptv->bytes += caplen + offset; - (void) SC_ATOMIC_ADD(ptv->livedev->pkts, 1); p->livedev = ptv->livedev; /* add forged header */