[Oisf-users] Processing threads limit of 16?

Barkley, Joey Joey.Barkley at ingramcontent.com
Fri Feb 13 17:45:07 UTC 2015 

Yes, sort of…

I have 64 cores available. I set threads: 32 and cpu: [ 0-31].

It creates 32 threads, but only 16 of them show up as actually processing data in the stats log file. cores 15-31 always show 0 for kernel_packets and kernel_drops. Does that mean it just doesn’t need the extra cores? I do have some (very minimal) drops, but I’d think that if I had anything more than 0 it would start using more cores for processing.

And if it matters, this is 2.1beta3.


> On Feb 13, 2015, at 11:36 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> The number of threads is governed by this configuration:
> 
>> af-packet:
>>  - interface: eth2
>>    # Number of receive threads (>1 will enable experimental flow pinned
>>    # runmode)
>>    threads: 16
> 
> ... and this:
> 
>>    - detect-cpu-set:
>>        cpu: [ 0-15 ]
>>        mode: "exclusive" # run detect threads in these cpus
>>        # Use explicitely 3 threads and don't compute number by using
>>        # detect-thread-ratio variable:
>>        #threads: 2
>>        prio:
>>          default: "high"
> 
> Are they both set to use all available cores?
> 
> - -Coop
> 
> On 2/13/2015 8:47 AM, Barkley, Joey wrote:
>> All, 
>> 
>> I have made significant progress in tuning our suricata instance to
>> handle our network traffic. Thanks to everyone who has helped me.
>> 
>> Question: Regardless of how many threads I configure, suricata only
>> shows kernel_packets and kernel_drops for the first 16 threads. Is there
>> a hard limit of 16 “usable” threads? My system has 64 cores but it
>> doesn’t seem like I’m able to use more than 16 cores. Have I just
>> configured something incorrectly? I have primarily followed advice on
>> this list and also on
>> http://pevma.blogspot.se/2013/12/suricata-and-grand-slam-of-open-source_8.html for
>> AF_PACKET configuration. Would it help for me to assign my
>> management-cpu-set to different cores than my detect-cpu-set? I seem to
>> remember reading that would not be good as it would adversely impact
>> performance. Or possibly, would increasing the detect-thread-ratio work?
>> I’m using cluster_cpu and not sure how that would be affected by
>> changing those settings.
>> 
>> Advice welcome.
>> 
>> Thanks,
>> Joey
>> 
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>> 
> 
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> 
> iQEcBAEBAgAGBQJU3jY0AAoJEKIFRYQsa8FWpVEH/1U6bQmS5eJwUtlR59KQL8lh
> R0N5rhexMvMEKD9ES5NhfHw3lEymPTK7Z/1AF797A7TA3d5vcRYgnt7n9pFiJB9L
> QuUjcHxochZcfujUbFOWmMvC4EtqQtSbY/zVCrZgUJW8nkfAiMNSPAKJwY+YO+W3
> LL4CfdVbQTGEb7eWLXH3wjnVDXvQXmoqOlI+QTR3SKrxksBk+54169pZPme7Vivj
> GCidKOiGtsTFU0UGY4geAlhw3WABa3tz4m8oYBEoLOAXnua+uOlxd2zgDy7MeU5+
> aKf/sw4eEBdW9nAnunHN+u/TeE9bvlai7K5WtF0il2p3F2y4841fP7gpeIDlSGQ=
> =IilM
> -----END PGP SIGNATURE-----
>

More information about the Oisf-users mailing list