Support #1877
closedCores using by suricata
Description
Actually I am running suricate on virtual machine having 4 cores,so normal suricate on interface will run on 4 cores,because it is multi threaded,now I set up tables for queue 0 and using -q0 command to run suricate (i am using set CPU affinity=no,runmodes=workers),so I am thinking the processing of modules are in single threaded and i would like to know is it using single core or multi cores for packet total processing?? I would like to process in 1 core only how??
Updated by Victor Julien over 7 years ago
- Tracker changed from Feature to Support
- Priority changed from Immediate to Normal
Updated by Victor Julien over 7 years ago
With nfq + workers, the number of packet processing threads is equal to the number of queues you use. E.g. -q0 gives 1 thread, -q0 -q1 2, etc. If you use --runmode=autofp, it will use: 1 capture thread, 1 verdict thread and N detect threads. N depends on cores and settings.
Updated by Rahul Surya over 7 years ago
means if in case i use nfq of "queue 0" and runmode as "worker" then so we are have 1 thread as(capture thread, verdict thread and detect threads) and using only one core(for example id=0 of 4 cores) and is it using the same core id=0 only or it can switch to another core id=1,....?
Updated by Rahul Surya over 7 years ago
and i would like to know does suricata is completely ndpi type?
Updated by Andreas Herz over 7 years ago
Rahul Surya wrote:
means if in case i use nfq of "queue 0" and runmode as "worker" then so we are have 1 thread as(capture thread, verdict thread and detect threads) and using only one core(for example id=0 of 4 cores) and is it using the same core id=0 only or it can switch to another core id=1,....?
This depends on your system, but if you want to have more control about that you can use --queue-cpu-fanout in combination with --queue-balance x:y to control the amount of cores and what core attached to the queue.
Rahul Surya wrote:
and i would like to know does suricata is completely ndpi type?
You should open another issue for a new request, but there are elements of dpi that suricata can cover.
Updated by Andreas Herz over 7 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Victor Julien over 7 years ago
- Status changed from New to Closed
- Assignee deleted (
Anonymous) - Target version deleted (
TBD)