Packets dropping or not

xifeng · September 9, 2021, 6:19am

Hello there,

That’d be great if you could hint me a little bit.
I’m testing with replaying a pcap file via TCPReplay. I find that the count of the packets that TCPReplay replays(or displayed by Wireshark) and the packets that Suricata captures are always largely inconsistent.

There are 118690 packets in the PCAP.

Seems Suricata handled 71127 packets.

Checked with Ethtool and ifconfig, couldn’t get any clues if that’s due to NIC dropping.

Andreas_Herz · September 9, 2021, 6:31am

For testing you could run tcpdump on that interface and check if you receive all packets. At least it’s already a big diff between the NIC stats and the pcap, so they could have been lost on the wire.

Topic		Replies	Views
A question regarding packets de-duplication Help suricata	0	59	March 7, 2024
Dpdk packet loss Help suricata , dpdk	8	305	February 26, 2024
Suricata missing some SMTP traffic Help	8	1023	March 31, 2021
Application detection and duplicate TCP/SYN Help	6	1001	September 1, 2022
Suricata can't parse http packet Help	2	573	January 23, 2022

Packets dropping or not

Related Topics