[Oisf-users] Suricata on 8 cores, ~70K packets/sec

[Victor Julien]

On 02/15/2011 09:44 AM, Robert Vineyard wrote:
> On 02/15/2011 12:09 PM, Eric Leblond wrote:
>> You may have a look at this post on my blog:
>> 	http://home.regit.org/?p=438
>> A git version of suricata is required for the fine tuning described in
>> the page but you can also play with the threads multiplicator. On a eight
>> core, you could try something lower like 0.25.
> 
> After reading your blog post, I'm wondering if perhaps Suricata is running
> into the same kinds of issues that have plagued the much-delayed
> multi-threaded Snort 3.0:
> 
> http://securitysauce.blogspot.com/2009/04/snort-30-beta-3-released.html
> 
> I'm not sure how much if any code in Suricata is shared with Snort, but I
> found Marty's analysis here to be very enlightening.

The threading model Suricata uses (I should sit down to fully document
it some time) allows for many different what we call "run modes". It
allows for a completely single threaded mode, flow pinned modes, etc.
Not all is fully configurable through the configuration yet, although
it's fairly simple for someone with a little C-language experience to
add new runmodes (see src/runmodes.c if you're interested). You can set
CPU affinity to (groups of) cores through the code Eric added.

Btw, Snort and Suricata share no code. Suricata is written complete from
scratch.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------