What are the measurements `capture.kernel_packets` and `decoder.pkts` in the log file `stats.log` mean?

Help
1

I am trying to do some performance benchmarks for Suricata using AF_PACKET mode, but the meaning of the measurement in the log file stats.log confused me. I can’t figure out the relationship between capture.kernel_packets and decoder.pkts. In my experimental statistics, the size of these two measurements is inconsistent. I guess it’s due to computer performance, the packets captured by AF_PACKET is so many that Suricata can’t detect them. But I need a developer to confirm my guess. And I’m also confused that the different between capture.kernel_packets and decoder.pkts is not equal to capture.kernel_drops.

here is a piece of stats.log

Date: 4/10/2021 -- 04:57:23 (uptime: 0d, 00h 01m 05s)
------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                        | Total                     | 77507190
capture.kernel_drops                          | Total                     | 1427558
decoder.pkts                                  | Total                     | 72476378
decoder.bytes                                 | Total                     | 49432850742
decoder.ipv4                                  | Total                     | 72475921
decoder.ethernet                              | Total                     | 72476378
decoder.tcp                                   | Total                     | 72445855
decoder.udp                                   | Total                     | 30066
decoder.avg_pkt_size                          | Total                     | 682
decoder.max_pkt_size                          | Total                     | 1514
flow.tcp                                      | Total                     | 264155
flow.udp                                      | Total                     | 14367
tcp.sessions                                  | Total                     | 108839
tcp.syn                                       | Total                     | 108839
tcp.synack                                    | Total                     | 108956
tcp.rst                                       | Total                     | 59
tcp.pkt_on_wrong_thread                       | Total                     | 11190636
tcp.segment_memcap_drop                       | Total                     | 300
tcp.stream_depth_reached                      | Total                     | 808
tcp.reassembly_gap                            | Total                     | 58489
tcp.insert_data_normal_fail                   | Total                     | 3425308
detect.alert                                  | Total                     | 1
app_layer.flow.http                           | Total                     | 5195
app_layer.tx.http                             | Total                     | 13912
app_layer.flow.tls                            | Total                     | 211
app_layer.flow.failed_tcp                     | Total                     | 302
app_layer.flow.dns_udp                        | Total                     | 8279
app_layer.tx.dns_udp                          | Total                     | 17361
app_layer.flow.failed_udp                     | Total                     | 6088
flow_mgr.closed_pruned                        | Total                     | 31
flow_mgr.new_pruned                           | Total                     | 2351
flow.spare                                    | Total                     | 10497
flow.tcp_reuse                                | Total                     | 660
flow_mgr.flows_checked                        | Total                     | 42119
flow_mgr.flows_notimeout                      | Total                     | 39773
flow_mgr.flows_timeout                        | Total                     | 2346
flow_mgr.flows_timeout_inuse                  | Total                     | 2
flow_mgr.flows_removed                        | Total                     | 2344
flow_mgr.rows_checked                         | Total                     | 65536
flow_mgr.rows_skipped                         | Total                     | 57234
flow_mgr.rows_maxlen                          | Total                     | 17
tcp.memuse                                    | Total                     | 31209640
tcp.reassembly_memuse                         | Total                     | 268437548
http.memuse                                   | Total                     | 194362543
flow.memuse                                   | Total                     | 101669584
2

Since decoder.pkts is equal to decoder.ethernet I would guess that those packets are some non ethernet packets?

4

Thanks a lot! But I also confused that what kinds of packets do not counted as Ethernet packets, and Suricata Team have any ideas to support detecting them?

5

I would suggest that you run tcpdump on that interface and take a look into the pcap and ideally you find the type of packets that don’t match the supported ones and we can dig into that.