From 120f061bcd53bf191b4a49e9d49621f4d4c5276a Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 28 Jul 2025 14:10:49 +0200
Subject: [PATCH] ConnStats: Expose num_packets_unprocessed

Not sure it's the best place to put, but we don't have packet analysis stats
bif and also num_packets is already there, so seems reasonable to put the
num_packets_unprocessed into
---
 scripts/base/init-bare.zeek                    |  1 +
 src/session/Manager.cc                         |  1 +
 src/session/Manager.h                          |  1 +
 src/stats.bif                                  |  3 ++-
 testing/btest/Baseline/core.conn-stats/.stdout |  7 ++++++-
 testing/btest/core/conn-stats.zeek             | 10 +++++++++-
 6 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 48b0fbca8a..ba96df34ab 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -1092,6 +1092,7 @@ type ConnStats: record {
 	num_icmp_conns: count;        ##< Current number of ICMP flows in memory.
 	max_icmp_conns: count;        ##< Maximum number of concurrent ICMP flows so far.
 	cumulative_icmp_conns: count; ##< Total number of ICMP flows so far.
+	num_packets_unprocessed: count; ##< Total number of packets not processed by any analyzer.
 
 	killed_by_inactivity: count;
 };
diff --git a/src/session/Manager.cc b/src/session/Manager.cc
index c068eeb1df..4b75afdb0c 100644
--- a/src/session/Manager.cc
+++ b/src/session/Manager.cc
@@ -218,6 +218,7 @@ void Manager::GetStats(Stats& s) {
     s.num_fragments = zeek::detail::fragment_mgr->Size();
     s.max_fragments = zeek::detail::fragment_mgr->MaxFragments();
     s.num_packets = packet_mgr->PacketsProcessed();
+    s.num_packets_unprocessed = packet_mgr->PacketsUnprocessed();
 }
 
 void Manager::Weird(const char* name, const Packet* pkt, const char* addl, const char* source) {
diff --git a/src/session/Manager.h b/src/session/Manager.h
index c4e1ef4f73..38476c575a 100644
--- a/src/session/Manager.h
+++ b/src/session/Manager.h
@@ -50,6 +50,7 @@ struct Stats {
     size_t num_fragments;
     size_t max_fragments;
     uint64_t num_packets;
+    uint64_t num_packets_unprocessed;
 };
 
 class Manager final {
diff --git a/src/stats.bif b/src/stats.bif
index c563fceb26..07ad95c686 100644
--- a/src/stats.bif
+++ b/src/stats.bif
@@ -101,10 +101,11 @@ function get_conn_stats%(%): ConnStats
 		r->Assign(n++, static_cast<uint64_t>(s.num_ICMP_conns));
 		r->Assign(n++, static_cast<uint64_t>(s.max_ICMP_conns));
 		r->Assign(n++, static_cast<uint64_t>(s.cumulative_ICMP_conns));
+		r->Assign(n++, static_cast<uint64_t>(s.num_packets_unprocessed));
 	}
 	else {
 		// Skip all of the fields that would be set from session_mgr data.
-		n += 13;
+		n += 14;
 	}
 
 	r->Assign(n++, zeek::detail::killed_by_inactivity);
diff --git a/testing/btest/Baseline/core.conn-stats/.stdout b/testing/btest/Baseline/core.conn-stats/.stdout
index d50700f23b..aac49da3a4 100644
--- a/testing/btest/Baseline/core.conn-stats/.stdout
+++ b/testing/btest/Baseline/core.conn-stats/.stdout
@@ -1,2 +1,7 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[total_conns=9, current_conns=5, sess_current_conns=5, num_packets=125, num_fragments=0, max_fragments=0, num_tcp_conns=5, max_tcp_conns=5, cumulative_tcp_conns=6, num_udp_conns=0, max_udp_conns=2, cumulative_udp_conns=2, num_icmp_conns=0, max_icmp_conns=1, cumulative_icmp_conns=1, killed_by_inactivity=3]
+pcap smtp.trace
+[total_conns=9, current_conns=5, sess_current_conns=5, num_packets=125, num_fragments=0, max_fragments=0, num_tcp_conns=5, max_tcp_conns=5, cumulative_tcp_conns=6, num_udp_conns=0, max_udp_conns=2, cumulative_udp_conns=2, num_icmp_conns=0, max_icmp_conns=1, cumulative_icmp_conns=1, num_packets_unprocessed=0, killed_by_inactivity=3]
+pcap dns-edns-ecs.pcap
+[total_conns=69, current_conns=9, sess_current_conns=9, num_packets=89, num_fragments=0, max_fragments=1, num_tcp_conns=1, max_tcp_conns=6, cumulative_tcp_conns=8, num_udp_conns=8, max_udp_conns=37, cumulative_udp_conns=61, num_icmp_conns=0, max_icmp_conns=0, cumulative_icmp_conns=0, num_packets_unprocessed=4, killed_by_inactivity=59]
+pcap contentline-irc-5k-line.pcap
+[total_conns=0, current_conns=0, sess_current_conns=0, num_packets=118, num_fragments=0, max_fragments=0, num_tcp_conns=0, max_tcp_conns=0, cumulative_tcp_conns=0, num_udp_conns=0, max_udp_conns=0, cumulative_udp_conns=0, num_icmp_conns=0, max_icmp_conns=0, cumulative_icmp_conns=0, num_packets_unprocessed=118, killed_by_inactivity=0]
diff --git a/testing/btest/core/conn-stats.zeek b/testing/btest/core/conn-stats.zeek
index 0d94415d7c..5b8789f4e2 100644
--- a/testing/btest/core/conn-stats.zeek
+++ b/testing/btest/core/conn-stats.zeek
@@ -1,7 +1,15 @@
 # @TEST-EXEC: zeek -b -r $TRACES/smtp.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/dns-edns-ecs.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/contentline-irc-5k-line.pcap %INPUT
+#
 # @TEST-EXEC: btest-diff .stdout
 
+event zeek_init()
+	{
+	print fmt("pcap %s", split_string(packet_source()$path, /\//)[-1]);
+	}
+
 event net_done(t: time)
 	{
 	print get_conn_stats();
-	}
\ No newline at end of file
+	}