[Oisf-users] Napatech support in Suricata: thread configuration and flow pinning

Matthew Keeler mk at npulsetech.com
Thu Dec 13 16:36:33 UTC 2012

With 3GD in Suricata the threading configuration is done by Suricata. It uses the builtin auto, autofp or workers run modes with workers being the most efficient in my testing.

The built in workers run mode will use one thread per stream configured using NTPL. If you want 8 threads, then you should configure 8 streams. As for the flow pinning the Napatech card can do it or you can have it round robin packets to the individual streams. As for the flow pinning in Suricata, someone else can provide a more in depth answer on the subject.

Matt Keeler
nPulse Technologies, Inc.
mk at npulsetech.com

On Dec 13, 2012, at 11:16 AM, Stefano Debenedetti <ste at demaledetti.net> wrote:

> hello,
> I'm happy to see that 3rd generation drivers support for Napatech
> cards is going to be in 1.4.
> I am testing a NT20E2 In-Line card [1] and using Napatech's example
> packet forwarding program I found out that the best performance is
> achieved with 8 cores (0 packet drop with full-duplex 10G link fully
> saturated at any packet size) but I have 32 cores on my test machine
> so I would like to use the other 24 cores for packet decoding,
> reassembly and detection.
> I find Suricata's threading configuration a bit hard to understand,
> could anybody please point me to an example of how to do this?
> Another question: the card has its own hardware-based 5-tuple
> bi-directional flow-pinning functionality that will make packets
> from same flow stay on the same core, in a setup like what I
> described above there would be another layer of flow-pinning made in
> software by Suricata, right?
> Thanks ciao
> ste
> [1]
> http://www.napatech.com/products/in-line_adapters/2x10g_pcie_nt20e2.html
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

The information contained herein is for the exclusive use of the original recipient.  This information is granted for limited distribution within the recipient's organization for planning purposes only.  Further dissemination, whether private or public, is prohibited and may be covered under a non-disclosure agreement.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121213/7f45fa29/attachment-0002.html>

More information about the Oisf-users mailing list