[Oisf-users] high cpu loads running multiple suricata instances
Victor Julien
victor at inliniac.net
Wed Jul 21 09:06:41 UTC 2010
Aki Heikkinen wrote:
> Still at loss why idle instances (not a single packet through nfqueue)
> eat up CPU cycles so viciously.
We currently have 3 management threads running separately from the
packet handling. 2 are for "counters" and 1 is for managing flows. Some
more on that last thread.
In Suricata the flow manager thread does a few things:
1. it checks the flow table for flows that are expired and cleans them
up. This is done by this thread to not add latency to the packet handling.
2. it makes sure that we have enough "pre allocated" flows sitting in a
queue. This makes sure that on traffic spikes we won't have to do many
expensive operations but we can hand out new flows quickly.
3. it has an "emergency mode" for out of memory / internal limits
reached mode, that more aggressively expires flows etc.
This thread is scheduled to run quite aggressively as new flows may come
in at pretty high rate.
To test whether this is really your issue, "top" can show the individual
threads by name. If you press H (uppercase h) to show all threads, it
will show something like:
4679 suricata 20 0 412m 287m 2388 S 8.9 14.3 2913:42 FlowManagerThre
You should have one of those for each instance.
Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list