<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div dir="ltr" id="yui_3_16_0_ym19_1_1481650681774_16406">I have many sensors in various configurations. I want to setup CPU affinity to improve performance. Some have 2 physical CPUs some have just 1. Commentary, calling them CPUs is incorrect, actually a chip with 8 cores has 8 CPUs. Runmode is pfring workers in IDS configuration.<br><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481650681774_16407">As I understand it, in this configuration I am only concerned with <br id="yui_3_16_0_ym19_1_1481650681774_16408"><br id="yui_3_16_0_ym19_1_1481650681774_16409"></div><pre style="font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; margin-top: 0px; margin-bottom: 0px; box-sizing: border-box; font-size: 12px; padding: 12px; line-height: 1.5; overflow: auto; color: rgb(64, 64, 64);" id="yui_3_16_0_ym19_1_1481650681774_16410">management-cpu-set - used for management (example - flow.managers, flow.recyclers)
detect-cpu-set - used for receive,streamtcp,decode,detect,output(logging),respond/reject</pre><div dir="ltr" id="yui_3_16_0_ym19_1_1481650681774_16411"><br>On systems where a tap is used we get data on 2 separate NICS (one is the Rx channel the other is the Tx). These are then placed in a bond so as to treat this as 1 data stream. We also do this in instances where we get multiple SPAN/Mirror port feeds. I believe in the latter case we should be treating each feed separately and running a separate suricata instance for that feed. Comments on this???<br><br>ALSO.......In the PFRING setup we are running multiple threads. Seems to me I should only need one, but what do I know.....<br><br><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1481650681774_16387"><br>I believe my rules of application here should be as follows</div><div id="yui_3_16_0_ym19_1_1481650681774_15763" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1481650681774_15763" dir="ltr"><br><br>On Systems with a single physical CPU monitoring 1 feed I should reserve a couple of cores for system processes and the remainder should be split up for the acquisition, decode, detect, and output threads. <br><br>On systems with 2 physical CPUs monitoring one feed, I should reserve one physical CPU for the system, the other physical CPU should be used for Suricata<br><br>On systems with 2 physical CPUs monitoring 2 feeds, I should reserve a couple of cores for the system, the 2 feeds should be split to run on separate instances of Suricata <br><br><br>The logic I am using here is that I want the acquisition and decode to run on a single core (perhaps multiple cores Advice here) the detect processes can use multiple cores.<br><br><br>One other question in this section what is the prio doing???<br><br></div><pre style="box-sizing: border-box; font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-size: 12px; white-space:pre-wrap; margin-top: 0px; margin-bottom: 0px; padding: 12px; line-height: 1.5; overflow: auto; color: rgb(64, 64, 64);" id="yui_3_16_0_ym19_1_1481650681774_16442"> - detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
# threads: 3
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"</pre></div></body></html>