Suricata - workers mode : single thread ?
-
When I enable workers mode, only one thread is used, is this the normal behaviour ?
Suricata detects my cores but still uses 1 thread :
26/5/2020 -- 12:34:23 - <Info> -- CPUs/cores online: 4 26/5/2020 -- 12:36:07 - <Notice> -- all 1 packet processing threads, 4 management threads initialized, engine started.
I have confirmed by doing top -H that only one thread is used
-
The GUI package has the default threading: settings in the
suricata.yaml
file it creates for an interface. They are currently set this way in the package:# Suricata is multi-threaded. Here the threading can be influenced. threading: set-cpu-affinity: no detect-thread-ratio: 1.0
These settings are copied into the active
suricata.yaml
file created for each interface from the template file/usr/local/pkg/suricata/suricata_yaml_template.inc
. You can make manual changes to this template file if desired. Open it in an editor and adjust the threading: section as desired. Only edit that part of the file, though! If you mess up this file you will break Suricata.Any edits you make to this template file will be overridden the next time you update the Suricata package. So remember that.
Also, DO NOT make any direct edits to a
suricata.yaml
file! That is pointless as those files are automatically recreated by the GUI code each time you save a change in Suricata or restart the underlying binary. Thesuricata.yaml
files are created from scratch each time using stored configuration information from the GUI package. So only make changes to the template file.The Suricata documentation pertaining to Threading can be found here: https://suricata.readthedocs.io/en/suricata-4.1.4/configuration/suricata-yaml.html#threading.
-
I have actually asked the question on suricata forum and they told me that when using legacy blocking mode (pcap) and workers mode only one thread will be used for packet processing no matter what you configure...
I hope next pfsense release on freebsd 12 will have better support for netmap for my card (ix driver) because as soon as I enable netmap I loose connectivity with errors on dmesg like netmap_ring_reinit
-
@verizu said in Suricata - workers mode : single thread ?:
I have actually asked the question on suricata forum and they told me that when using legacy blocking mode (pcap) and workers mode only one thread will be used for packet processing no matter what you configure...
I hope next pfsense release on freebsd 12 will have better support for netmap for my card (ix driver) because as soon as I enable netmap I loose connectivity with errors on dmesg like netmap_ring_reinit
Okay. Thanks for the information about the pcap default threading override. I did not know that.
Netmap appears to be a combination of a blessing and a curse. It offers great promise with near wirespeed packet routing available to userland apps, but then the necessary support within NIC drivers is sometimes either completely missing or very buggy (hence the "curse").
-
yeah I even went into the trouble of compiling the Intel driver but still same issues, it even rebooted on me ...