[Oisf-users] Threads not doing any work

Peter Manev petermanev at gmail.com
Thu Oct 15 12:04:18 UTC 2015 

On Wed, Oct 14, 2015 at 10:03 PM, Duane Howard <duane.security at gmail.com> wrote:
>>
>>
>> What cluster_type(and Suri version) are you using?
>
> version: 2.0.8 RELEASE
> cluster-type: cluster_flow
>>
>>
>> Is this consistent with Suricata's stats.log?
>
>
> Yes, last two entries from stats.log:
> capture.kernel_packets    | AFPacketbond01            | 1485572868
> capture.kernel_packets    | AFPacketbond02            | 0
> capture.kernel_packets    | AFPacketbond03            | 1377368199
> capture.kernel_packets    | AFPacketbond04            | 1389788072
> capture.kernel_packets    | AFPacketbond05            | 1428569217
> capture.kernel_packets    | AFPacketbond06            | 1920661530
> capture.kernel_packets    | AFPacketbond07            | 1408036528
> capture.kernel_packets    | AFPacketbond08            | 1590766009
> capture.kernel_packets    | AFPacketbond09            | 1494232281
> capture.kernel_packets    | AFPacketbond010           | 1451044916
> capture.kernel_packets    | AFPacketbond011           | 3252054939
> capture.kernel_packets    | AFPacketbond012           | 3118034998
> capture.kernel_packets    | AFPacketbond013           | 1493265432
> capture.kernel_packets    | AFPacketbond014           | 1465651530
> capture.kernel_packets    | AFPacketbond015           | 1513765413
> capture.kernel_packets    | AFPacketbond016           | 1616881473
> capture.kernel_packets    | AFPacketbond01            | 1500290226
> capture.kernel_packets    | AFPacketbond02            | 0
> capture.kernel_packets    | AFPacketbond03            | 1390539219
> capture.kernel_packets    | AFPacketbond04            | 1402401529
> capture.kernel_packets    | AFPacketbond05            | 1441521628
> capture.kernel_packets    | AFPacketbond06            | 1934344963
> capture.kernel_packets    | AFPacketbond07            | 1420926996
> capture.kernel_packets    | AFPacketbond08            | 1604977752
> capture.kernel_packets    | AFPacketbond09            | 1525281819
> capture.kernel_packets    | AFPacketbond010           | 1464552695
> capture.kernel_packets    | AFPacketbond011           | 3269385208
> capture.kernel_packets    | AFPacketbond012           | 3131000528
> capture.kernel_packets    | AFPacketbond013           | 1506020632
> capture.kernel_packets    | AFPacketbond014           | 1477735937
> capture.kernel_packets    | AFPacketbond015           | 1528967614
> capture.kernel_packets    | AFPacketbond016           | 1629456468
>
>>
>> You can try the latest git and use the rollover option  -
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L451
>> and see if all threads are going to have packets? (you need kernel
>> 3.10 and above).
>
> kernel version should be fine, won't have time to test this different mode
> in the short term, but cluster flow seems to be working correctly with the
> exception of this distinct thread?

Is it always this thread or it changes across restarts?

>>
>>
>>
>> >
>> > ./d
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 4 & 5 in Barcelona:
>> > http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list