af-packet: fix live device counter usage

Live device counter was in fact the number of packets seen by suricata
and not the total number of packet reported by kernel. This patch fixes
this by using counter provided by kernel instead.
The counter is Clear On Read, so by adding the value fetch at each call
and earch sockets we get the number of packets and drops for the
interface.

diff --git a/src/source-af-packet.c b/src/source-af-packet.c
index befdb0ed33b4c30a7bc11ec8dfd3b93ba71cae9e..a0de99edc31869a9f69413d5bf047cb2422ec769 100644 (file)
--- a/src/source-af-packet.c
+++ b/src/source-af-packet.c
@@ -493,6 +493,7 @@ static inline void AFPDumpCounters(AFPThreadVars *ptv)
         SCPerfCounterAddUI64(ptv->capture_kernel_packets, ptv->tv->sc_perf_pca, kstats.tp_packets);
         SCPerfCounterAddUI64(ptv->capture_kernel_drops, ptv->tv->sc_perf_pca, kstats.tp_drops);
         (void) SC_ATOMIC_ADD(ptv->livedev->drop, kstats.tp_drops);
+        (void) SC_ATOMIC_ADD(ptv->livedev->pkts, kstats.tp_packets);
     }
 #endif
 }
@@ -561,7 +562,6 @@ int AFPRead(AFPThreadVars *ptv)
 
     ptv->pkts++;
     ptv->bytes += caplen + offset;
-    (void) SC_ATOMIC_ADD(ptv->livedev->pkts, 1);
     p->livedev = ptv->livedev;
 
     /* add forged header */