[Oisf-users] Threads not doing any work

Duane Howard duane.security at gmail.com
Thu Oct 15 14:37:39 UTC 2015 

It seems to change across restarts, below is from stats captures with a
number of restarts over a couple of weeks. Stats are being written every 6
minutes.

$ cat stats.log | grep 'capture.kernel_packets' | grep '| 0$' | uniq -c |
egrep -v '[ ^I]+1 capture'
    360 capture.kernel_packets    | AFPacketbond01            | 0
    200 capture.kernel_packets    | AFPacketbond02            | 0
      2 capture.kernel_packets    | AFPacketbond03            | 0
     90 capture.kernel_packets    | AFPacketbond04            | 0
      3 capture.kernel_packets    | AFPacketbond010           | 0
    198 capture.kernel_packets    | AFPacketbond012           | 0
    102 capture.kernel_packets    | AFPacketbond01            | 0
     55 capture.kernel_packets    | AFPacketbond011           | 0
      8 capture.kernel_packets    | AFPacketbond02            | 0
      2 capture.kernel_packets    | AFPacketbond02            | 0
    175 capture.kernel_packets    | AFPacketbond03            | 0
      3 capture.kernel_packets    | AFPacketbond02            | 0
      6 capture.kernel_packets    | AFPacketbond03            | 0
     23 capture.kernel_packets    | AFPacketbond013           | 0
    219 capture.kernel_packets    | AFPacketbond02            | 0


On Thu, Oct 15, 2015 at 5:04 AM, Peter Manev <petermanev at gmail.com> wrote:

> On Wed, Oct 14, 2015 at 10:03 PM, Duane Howard <duane.security at gmail.com>
> wrote:
> >>
> >>
> >> What cluster_type(and Suri version) are you using?
> >
> > version: 2.0.8 RELEASE
> > cluster-type: cluster_flow
> >>
> >>
> >> Is this consistent with Suricata's stats.log?
> >
> >
> > Yes, last two entries from stats.log:
> > capture.kernel_packets    | AFPacketbond01            | 1485572868
> > capture.kernel_packets    | AFPacketbond02            | 0
> > capture.kernel_packets    | AFPacketbond03            | 1377368199
> > capture.kernel_packets    | AFPacketbond04            | 1389788072
> > capture.kernel_packets    | AFPacketbond05            | 1428569217
> > capture.kernel_packets    | AFPacketbond06            | 1920661530
> > capture.kernel_packets    | AFPacketbond07            | 1408036528
> > capture.kernel_packets    | AFPacketbond08            | 1590766009
> > capture.kernel_packets    | AFPacketbond09            | 1494232281
> > capture.kernel_packets    | AFPacketbond010           | 1451044916
> > capture.kernel_packets    | AFPacketbond011           | 3252054939
> > capture.kernel_packets    | AFPacketbond012           | 3118034998
> > capture.kernel_packets    | AFPacketbond013           | 1493265432
> > capture.kernel_packets    | AFPacketbond014           | 1465651530
> > capture.kernel_packets    | AFPacketbond015           | 1513765413
> > capture.kernel_packets    | AFPacketbond016           | 1616881473
> > capture.kernel_packets    | AFPacketbond01            | 1500290226
> > capture.kernel_packets    | AFPacketbond02            | 0
> > capture.kernel_packets    | AFPacketbond03            | 1390539219
> > capture.kernel_packets    | AFPacketbond04            | 1402401529
> > capture.kernel_packets    | AFPacketbond05            | 1441521628
> > capture.kernel_packets    | AFPacketbond06            | 1934344963
> > capture.kernel_packets    | AFPacketbond07            | 1420926996
> > capture.kernel_packets    | AFPacketbond08            | 1604977752
> > capture.kernel_packets    | AFPacketbond09            | 1525281819
> > capture.kernel_packets    | AFPacketbond010           | 1464552695
> > capture.kernel_packets    | AFPacketbond011           | 3269385208
> > capture.kernel_packets    | AFPacketbond012           | 3131000528
> > capture.kernel_packets    | AFPacketbond013           | 1506020632
> > capture.kernel_packets    | AFPacketbond014           | 1477735937
> > capture.kernel_packets    | AFPacketbond015           | 1528967614
> > capture.kernel_packets    | AFPacketbond016           | 1629456468
> >
> >>
> >> You can try the latest git and use the rollover option  -
> >>
> >>
> https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L451
> >> and see if all threads are going to have packets? (you need kernel
> >> 3.10 and above).
> >
> > kernel version should be fine, won't have time to test this different
> mode
> > in the short term, but cluster flow seems to be working correctly with
> the
> > exception of this distinct thread?
>
> Is it always this thread or it changes across restarts?
>
> >>
> >>
> >>
> >> >
> >> > ./d
> >> >
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > Suricata User Conference November 4 & 5 in Barcelona:
> >> > http://oisfevents.net
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> >
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151015/f3ea2525/attachment-0002.html>

More information about the Oisf-users mailing list