[Oisf-users] Threads not doing any work

Peter Manev petermanev at gmail.com
Fri Oct 16 15:36:22 UTC 2015 

On Thu, Oct 15, 2015 at 4:37 PM, Duane Howard <duane.security at gmail.com> wrote:
> It seems to change across restarts, below is from stats captures with a
> number of restarts over a couple of weeks. Stats are being written every 6
> minutes.
>
> $ cat stats.log | grep 'capture.kernel_packets' | grep '| 0$' | uniq -c |
> egrep -v '[ ^I]+1 capture'
>     360 capture.kernel_packets    | AFPacketbond01            | 0
>     200 capture.kernel_packets    | AFPacketbond02            | 0
>       2 capture.kernel_packets    | AFPacketbond03            | 0
>      90 capture.kernel_packets    | AFPacketbond04            | 0
>       3 capture.kernel_packets    | AFPacketbond010           | 0
>     198 capture.kernel_packets    | AFPacketbond012           | 0
>     102 capture.kernel_packets    | AFPacketbond01            | 0
>      55 capture.kernel_packets    | AFPacketbond011           | 0
>       8 capture.kernel_packets    | AFPacketbond02            | 0
>       2 capture.kernel_packets    | AFPacketbond02            | 0
>     175 capture.kernel_packets    | AFPacketbond03            | 0
>       3 capture.kernel_packets    | AFPacketbond02            | 0
>       6 capture.kernel_packets    | AFPacketbond03            | 0
>      23 capture.kernel_packets    | AFPacketbond013           | 0
>     219 capture.kernel_packets    | AFPacketbond02            | 0
>

Ok.

Can you please try to:
1) Change the number of threads to 14/15 and see if the result is the same.
2) Reproduce that with 2.0.9/beta/latest git?

Thank you


>
> On Thu, Oct 15, 2015 at 5:04 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Wed, Oct 14, 2015 at 10:03 PM, Duane Howard <duane.security at gmail.com>
>> wrote:
>> >>
>> >>
>> >> What cluster_type(and Suri version) are you using?
>> >
>> > version: 2.0.8 RELEASE
>> > cluster-type: cluster_flow
>> >>
>> >>
>> >> Is this consistent with Suricata's stats.log?
>> >
>> >
>> > Yes, last two entries from stats.log:
>> > capture.kernel_packets    | AFPacketbond01            | 1485572868
>> > capture.kernel_packets    | AFPacketbond02            | 0
>> > capture.kernel_packets    | AFPacketbond03            | 1377368199
>> > capture.kernel_packets    | AFPacketbond04            | 1389788072
>> > capture.kernel_packets    | AFPacketbond05            | 1428569217
>> > capture.kernel_packets    | AFPacketbond06            | 1920661530
>> > capture.kernel_packets    | AFPacketbond07            | 1408036528
>> > capture.kernel_packets    | AFPacketbond08            | 1590766009
>> > capture.kernel_packets    | AFPacketbond09            | 1494232281
>> > capture.kernel_packets    | AFPacketbond010           | 1451044916
>> > capture.kernel_packets    | AFPacketbond011           | 3252054939
>> > capture.kernel_packets    | AFPacketbond012           | 3118034998
>> > capture.kernel_packets    | AFPacketbond013           | 1493265432
>> > capture.kernel_packets    | AFPacketbond014           | 1465651530
>> > capture.kernel_packets    | AFPacketbond015           | 1513765413
>> > capture.kernel_packets    | AFPacketbond016           | 1616881473
>> > capture.kernel_packets    | AFPacketbond01            | 1500290226
>> > capture.kernel_packets    | AFPacketbond02            | 0
>> > capture.kernel_packets    | AFPacketbond03            | 1390539219
>> > capture.kernel_packets    | AFPacketbond04            | 1402401529
>> > capture.kernel_packets    | AFPacketbond05            | 1441521628
>> > capture.kernel_packets    | AFPacketbond06            | 1934344963
>> > capture.kernel_packets    | AFPacketbond07            | 1420926996
>> > capture.kernel_packets    | AFPacketbond08            | 1604977752
>> > capture.kernel_packets    | AFPacketbond09            | 1525281819
>> > capture.kernel_packets    | AFPacketbond010           | 1464552695
>> > capture.kernel_packets    | AFPacketbond011           | 3269385208
>> > capture.kernel_packets    | AFPacketbond012           | 3131000528
>> > capture.kernel_packets    | AFPacketbond013           | 1506020632
>> > capture.kernel_packets    | AFPacketbond014           | 1477735937
>> > capture.kernel_packets    | AFPacketbond015           | 1528967614
>> > capture.kernel_packets    | AFPacketbond016           | 1629456468
>> >
>> >>
>> >> You can try the latest git and use the rollover option  -
>> >>
>> >>
>> >> https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/master/entry/suricata.yaml.in#L451
>> >> and see if all threads are going to have packets? (you need kernel
>> >> 3.10 and above).
>> >
>> > kernel version should be fine, won't have time to test this different
>> > mode
>> > in the short term, but cluster flow seems to be working correctly with
>> > the
>> > exception of this distinct thread?
>>
>> Is it always this thread or it changes across restarts?
>>
>> >>
>> >>
>> >>
>> >> >
>> >> > ./d
>> >> >
>> >> > _______________________________________________
>> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >> > Site: http://suricata-ids.org | Support:
>> >> > http://suricata-ids.org/support/
>> >> > List:
>> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> > Suricata User Conference November 4 & 5 in Barcelona:
>> >> > http://oisfevents.net
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >> Peter Manev
>> >
>> >
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list