Packets dropping or not

xifeng · September 9, 2021, 6:19am

Hello there,

That’d be great if you could hint me a little bit.
I’m testing with replaying a pcap file via TCPReplay. I find that the count of the packets that TCPReplay replays(or displayed by Wireshark) and the packets that Suricata captures are always largely inconsistent.

There are 118690 packets in the PCAP.

Seems Suricata handled 71127 packets.

Checked with Ethtool and ifconfig, couldn’t get any clues if that’s due to NIC dropping.

Andreas_Herz · September 9, 2021, 6:31am

For testing you could run tcpdump on that interface and check if you receive all packets. At least it’s already a big diff between the NIC stats and the pcap, so they could have been lost on the wire.

Topic		Replies	Views
A question regarding packets de-duplication Help suricata	1	155	April 25, 2024
Understanding stats.log to analyze upstream packet loss Help	1	168	July 31, 2024
Dpdk packet loss Help suricata , dpdk	8	611	February 26, 2024
Suricata missing some SMTP traffic Help	8	1298	March 31, 2021
Application detection and duplicate TCP/SYN Help	6	1263	September 1, 2022

Packets dropping or not

Related topics