Feature #1675
closedSupport additional runmodes for unix-socket
Description
It would be nice, mainly from a speed of processing perspective, if I could use multiple threads to process pcap input while in unix-socket mode (pretty sure this is feasible when directly reading a single pcap).
Updated by Victor Julien about 8 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Target version set to TBD
Hmmm I thought we used autofp for unix socket mode?
Updated by Eric Leblond about 8 years ago
Victor Julien wrote:
Hmmm I thought we used autofp for unix socket mode?
Yes, it should be the case. Call to RunModeDispatch(RUNMODE_PCAP_FILE, NULL) is firing autofp.
I've just tested this and I've got all CPUs working here.
Duane Howard: any chance you have setup thread affinity to value that could prevent scaling ?
Updated by Duane Howard about 8 years ago
Sorry for the delay Eric, I completely missed your comment here. I do not have thread affinity set up, maybe there's some conflict in the yaml file? I thought using --runmode would override this though. This week is shaping up to be really busy, I'll block some time to gather more details around this issue next week.
Updated by Duane Howard about 8 years ago
Let's try that again without markdown messing everything up.
Ah, so Eric, I was specifically talking about when running in unix-socket mode:
$ sudo suricata --list-runmodes <snip> |---------------------------------------------------------------------------------------- | UNIX_SOCKET | single | Unix socket mode |----------------------------------------------------------------------------------------
Feeding in a single pcap via -r <file.pcapworks fine for this, but if you need to feed in multiple pcaps (and maintain state) we're restricted to using the unix-socket runmode and adding multiple files.
$ sudo /usr/local/bin/suricata -c suricata-socket.yaml --runmode single --unix-socket=/tmp/foo.sock <snip> 16/3/2016 -- 15:09:46 - <Notice- all 0 packet processing threads, 0 management threads initialized, engine started. $ sudo /usr/local/bin/suricata -c suricata-socket.yaml --runmode autofp --unix-socket=/tmp/foo.sock <snip> 16/3/2016 -- 15:10:32 - <Error- [ERRCODE: SC_ERR_RUNMODE(187)] - The custom type "autofp" doesn't exist for this runmode type "UNIX_SOCKET". Please use --list-runmodes to see available custom types for this runmode
Does this make more sense?
Is it the case that autofp is being used under the hood when processing individual pcaps, even though Suricata forces me to set runmode=single? If so, this is a bit confusing to me.
Updated by Victor Julien almost 7 years ago
I looked into this a bit and it seems that we're confusing the hell out of our users. The --runmode option in this case doesn't control the pcap runmode that is spawned by the unix manager, but only the unix manager itself. That is a single thread, hence it's 'single'. The the pcap mode is activated over the unix socket (using the pcap-file) command, it actually runs the pcap in a autofp mode. This is not something that can be configured.
Working on a small set of clean ups.
Updated by Victor Julien almost 7 years ago
- Assignee changed from Eric Leblond to Victor Julien
- Target version changed from TBD to 70
Updated by Victor Julien almost 7 years ago
Duane any chance you can try https://github.com/inliniac/suricata/pull/2720 ?
Updated by Victor Julien almost 7 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.2.2
Updated by Duane Howard almost 7 years ago
Sorry Victor,
I didn't see this as I hadn't flagged this to 'watch' on accident.
I'll play with this when we get 3.2.2 on our test machines.