[Oisf-users] autofp mode and af-packet

Thu Oct 9 04:11:03 UTC 2014

On 9/10/2014, at 3:29 pm, Russell Fulton <r.fulton at auckland.ac.nz> wrote:

> when I set runmode to autofp with af-packet the first thread gets no packets:
> 
> using egrep on stats.log:
> 
> Date: 10/9/2014 -- 15:11:35 (uptime: 0d, 00h 04m 57s)
> capture.kernel_packets    | RxAFP1                    | 0
> capture.kernel_drops      | RxAFP1                    | 0
> capture.kernel_packets    | RxAFP2                    | 27493258
> capture.kernel_drops      | RxAFP2                    | 15064274
> capture.kernel_packets    | RxAFP3                    | 26577340
> capture.kernel_drops      | RxAFP3                    | 14137034
> capture.kernel_packets    | RxAFP4                    | 26198636
> capture.kernel_drops      | RxAFP4                    | 13860637
> 
> changing runmode to auto:
> 
> Date: 10/9/2014 -- 15:14:11 (uptime: 0d, 00h 07m 33s)
> capture.kernel_packets    | RxAFP1                    | 38121212
> capture.kernel_drops      | RxAFP1                    | 38037311
> capture.kernel_packets    | RxAFP2                    | 41758679
> capture.kernel_drops      | RxAFP2                    | 22825304
> capture.kernel_packets    | RxAFP3                    | 40124290
> capture.kernel_drops      | RxAFP3                    | 21185298
> capture.kernel_packets    | RxAFP4                    | 40018390
> capture.kernel_drops      | RxAFP4                    | 21184336
> 

It turns out that it isn’t that simple.  I now have a yaml file with run-mode of auto which does this too.  The difference to the previous version was that I added some more CPUs to my detection-set in the cpu-affinity section.  I am guessing that there is some conflict between allocating cpu/threads between the capture and processing.

Russell