From c115e63dc2727e3220eb5c040bc9b07735a625a2 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Tue, 31 Dec 2013 16:09:43 +0100 Subject: [PATCH] pfring: fix live device counter usage Live device counter was in fact the number of packets seen by suricata and not the total number of packet reported by pfring. This patch fixes this by using counter provided by kernel instead. Pfring kernel counter is per socket and is not cleared after read. So to get the number of packet on the interface we can add the new value for this thread and add it to the interface counter. --- src/source-pfring.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/source-pfring.c b/src/source-pfring.c index 92992f99bc..09ef215ecd 100644 --- a/src/source-pfring.c +++ b/src/source-pfring.c @@ -189,9 +189,18 @@ static inline void PfringDumpCounters(PfringThreadVars *ptv) { pfring_stat pfring_s; if (likely((pfring_stats(ptv->pd, &pfring_s) >= 0))) { + /* pfring counter is per socket and is not cleared after read. + * So to get the number of packet on the interface we can add + * the newly seen packets and drops for this thread and add it + * to the interface counter */ + uint64_t th_pkts = SCPerfGetLocalCounterValue(ptv->capture_kernel_packets, + ptv->tv->sc_perf_pca); + uint64_t th_drops = SCPerfGetLocalCounterValue(ptv->capture_kernel_drops, + ptv->tv->sc_perf_pca); + SC_ATOMIC_ADD(ptv->livedev->pkts, pfring_s.recv - th_pkts); + SC_ATOMIC_ADD(ptv->livedev->drop, pfring_s.drop - th_drops); SCPerfCounterSetUI64(ptv->capture_kernel_packets, ptv->tv->sc_perf_pca, pfring_s.recv); SCPerfCounterSetUI64(ptv->capture_kernel_drops, ptv->tv->sc_perf_pca, pfring_s.drop); - SC_ATOMIC_SET(ptv->livedev->drop, pfring_s.drop); } } @@ -211,7 +220,6 @@ static inline void PfringProcessPacket(void *user, struct pfring_pkthdr *h, Pack ptv->bytes += h->caplen; ptv->pkts++; - (void) SC_ATOMIC_ADD(ptv->livedev->pkts, 1); p->livedev = ptv->livedev; /* PF_RING may fail to set timestamp */ -- 2.47.2