[Oisf-users] Threads not doing any work

[Peter Manev]

On Fri, Oct 9, 2015 at 11:48 PM, Duane Howard <duane.security at gmail.com> wrote:
> I've been playing with various numbers of threads for suricata using
> afpacket in workers mode. I seem to end up with some number of threads that
> aren't processing packets, for example when I have 16 threads, I see:

What cluster_type(and Suri version) are you using?

>
> 15 threads that look like this:
> ==>
> /tmp/collectd/csv/host/suricata-AFPacketbond01/suricata_capture-kernel_packets-2015-10-09
> <==
> epoch,value
> 1444425138.693,2704177
> 1444425198.689,5107892
> 1444425258.673,7853272
> 1444425318.687,9862534
> 1444425378.675,12403800
> 1444425438.672,15074199
> 1444425498.664,18680028
> 1444425558.686,22200222
> 1444425618.664,25442565
>
> and one thread that looks like this:
> ==>
> /tmp/collectd/csv/host/suricata-AFPacketbond02/suricata_capture-kernel_packets-2015-10-09
> <==
> epoch,value
> 1444425138.695,0
> 1444425198.689,0
> 1444425258.674,0
> 1444425318.687,0
> 1444425378.676,0
> 1444425438.672,0
> 1444425498.665,0
> 1444425558.686,0
> 1444425618.664,0
>

Is this consistent with Suricata's stats.log?

> When I bump up to 32 threads (just for testing) I end up with two threads
> that aren't seeing any packets. Is there any obvious reason for this? Ideas
> on troubleshooting?

You can try the latest git and use the rollover option  -
https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L451
and see if all threads are going to have packets? (you need kernel
3.10 and above).


>
> ./d
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev