<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Can you post your configuration? Are you using a 64bit system?<div><br></div><div><br></div><div>ZK</div><div><br></div><div><br><div><div>On Jun 7, 2013, at 8:48 AM, Fernando Sclavo <<a href="mailto:fsclavo@gmail.com">fsclavo@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><div>Victor, threads are 16 in afpacket settings. Nevertheless, based on you second comment, we will move to workers mode again.<br></div>Thanks<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
2013/6/7 Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">On 06/07/2013 02:24 PM, Fernando Sclavo wrote:<br>
> Hi all.<br>
> Trying to balance the load on all CPUs (and finally, reduce kernel<br>
> dropped packets) we set Suricata from workers to auto mode. In this mode<br>
> CPU consumption y 1/3 than in worker mode, but stats doesn't show<br>
> packets drops anymore and couldn't see if there are dropped packets or not.<br>
> How can we see packets drops in AFpacket AUTO mode?<br>
> And another question: we see one Receive thread per NIC, and sometimes<br>
> these threads goes to 100% CPU, is there any way to split them on more<br>
> than one as we can do with detect threads?<br>
<br>
</div></div>You should be able to use the 'threads' option in the af-packet per nic<br>
settings for this.<br>
<br>
I don't recommend 'auto' mode. Autofp or workers is the way to go.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org/" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</font></span></blockquote></div><br></div>
_______________________________________________<br>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a><br>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>OISF: <a href="http://www.openinfosecfoundation.org/">http://www.openinfosecfoundation.org/</a></blockquote></div><br></div></body></html>