From c1c67536b6c7c1ff9fa12327e4e0d109071c372f Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Fri, 16 Dec 2022 09:11:05 -0500
Subject: [PATCH] decode/stat: Add decode counters for unknown/arp

Issue: 5761

This commit adds statistics for ARP and unknown ethertype packets for
diagnostic purposes.
---
 etc/schema.json | 6 ++++++
 src/decode.c    | 2 ++
 src/decode.h    | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/etc/schema.json b/etc/schema.json
index 15bf6261fb..2334c48708 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -4147,6 +4147,12 @@
                         "ethernet": {
                             "type": "integer"
                         },
+                        "arp": {
+                            "type": "integer"
+                        },
+                        "unknown_ethertype": {
+                            "type": "integer"
+                        },
                         "geneve": {
                             "type": "integer"
                         },
diff --git a/src/decode.c b/src/decode.c
index c64af550ef..b3da7a1ed1 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -532,6 +532,8 @@ void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
     dtv->counter_ipv4 = StatsRegisterCounter("decoder.ipv4", tv);
     dtv->counter_ipv6 = StatsRegisterCounter("decoder.ipv6", tv);
     dtv->counter_eth = StatsRegisterCounter("decoder.ethernet", tv);
+    dtv->counter_arp = StatsRegisterCounter("decoder.arp", tv);
+    dtv->counter_ethertype_unknown = StatsRegisterCounter("decoder.unknown_ethertype", tv);
     dtv->counter_chdlc = StatsRegisterCounter("decoder.chdlc", tv);
     dtv->counter_raw = StatsRegisterCounter("decoder.raw", tv);
     dtv->counter_null = StatsRegisterCounter("decoder.null", tv);
diff --git a/src/decode.h b/src/decode.h
index dfa8af0f01..39d9bf1355 100644
--- a/src/decode.h
+++ b/src/decode.h
@@ -683,6 +683,8 @@ typedef struct DecodeThreadVars_
     uint16_t counter_udp;
     uint16_t counter_icmpv4;
     uint16_t counter_icmpv6;
+    uint16_t counter_arp;
+    uint16_t counter_ethertype_unknown;
 
     uint16_t counter_sll;
     uint16_t counter_raw;
@@ -1189,6 +1191,7 @@ static inline bool DecodeNetworkLayer(ThreadVars *tv, DecodeThreadVars *dtv,
             DecodeIEEE8021ah(tv, dtv, p, data, len);
             break;
         case ETHERNET_TYPE_ARP:
+            StatsIncr(tv, dtv->counter_arp);
             break;
         case ETHERNET_TYPE_MPLS_UNICAST:
         case ETHERNET_TYPE_MPLS_MULTICAST:
@@ -1209,6 +1212,7 @@ static inline bool DecodeNetworkLayer(ThreadVars *tv, DecodeThreadVars *dtv,
             break;
         default:
             SCLogDebug("unknown ether type: %" PRIx16 "", proto);
+            StatsIncr(tv, dtv->counter_ethertype_unknown);
             return false;
     }
     return true;
-- 
2.47.2