Project

General

Profile

Actions
Copy link

Support #1877

closed
RS

Cores using by suricata

Support #1877: Cores using by suricata

Added by Rahul Surya over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

Actually I am running suricate on virtual machine having 4 cores,so normal suricate on interface will run on 4 cores,because it is multi threaded,now I set up tables for queue 0 and using -q0 command to run suricate (i am using set CPU affinity=no,runmodes=workers),so I am thinking the processing of modules are in single threaded and i would like to know is it using single core or multi cores for packet total processing?? I would like to process in 1 core only how??

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
 #1

  • Tracker changed from Feature to Support
  • Priority changed from Immediate to Normal

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
 #2

With nfq + workers, the number of packet processing threads is equal to the number of queues you use. E.g. -q0 gives 1 thread, -q0 -q1 2, etc. If you use --runmode=autofp, it will use: 1 capture thread, 1 verdict thread and N detect threads. N depends on cores and settings.

RS Updated by Rahul Surya over 9 years ago Actions
Copy link
 #3

means if in case i use nfq of "queue 0" and runmode as "worker" then so we are have 1 thread as(capture thread, verdict thread and detect threads) and using only one core(for example id=0 of 4 cores) and is it using the same core id=0 only or it can switch to another core id=1,....?

RS Updated by Rahul Surya over 9 years ago Actions
Copy link
 #4

and i would like to know does suricata is completely ndpi type?

AH Updated by Andreas Herz over 9 years ago Actions
Copy link
 #5

Rahul Surya wrote:

means if in case i use nfq of "queue 0" and runmode as "worker" then so we are have 1 thread as(capture thread, verdict thread and detect threads) and using only one core(for example id=0 of 4 cores) and is it using the same core id=0 only or it can switch to another core id=1,....?

This depends on your system, but if you want to have more control about that you can use --queue-cpu-fanout in combination with --queue-balance x:y to control the amount of cores and what core attached to the queue.

Rahul Surya wrote:

and i would like to know does suricata is completely ndpi type?

You should open another issue for a new request, but there are elements of dpi that suricata can cover.

AH Updated by Andreas Herz over 9 years ago Actions
Copy link
 #6

  • Assignee set to Anonymous
  • Target version set to TBD

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
 #7

  • Status changed from New to Closed
  • Assignee deleted (Anonymous)
  • Target version deleted (TBD)
Actions
Copy link

Also available in: PDF Atom