[Oisf-users] dev-detect-grouping-v174, only 2 cores being used?

Peter Manev petermanev at gmail.com
Tue Mar 1 06:47:33 UTC 2016


On Mon, Feb 29, 2016 at 10:37 PM, Barkley, Joey
<Joey.Barkley at ingramcontent.com> wrote:
> All,
>
>
> I've done some tweaking to my test instance but can't seem to get it running
> properly. Here is what I did:
>
>
> 1) Took the dev-detect-grouping-v174 branch and merged master (as of this
> morning, 2016-02-29) into it.

I would suggest do it step by step - in order to avoid excessive
troubleshooting if needed.
So start with just the dev-detect-grouping-v174 branch - but if you
start with that I would recommend the latest branch -
dev-detect-grouping-v178 branch -
https://github.com/inliniac/suricata/tree/dev-detect-grouping-v178


>
> 2) Built Suricata and used my normal config file, but made the required
> changes in the "detect" section.

What changes are those exactly? Can you share that section of the suricata.yaml?

>
>     a. I tried the default (profile medium, toclient 3, toserver 25) but
> then also changed to 30 and 250 just to test. Same results with both.
>

How many rules do you load?(or are you trying with no rules as a test)

> 3) I have 8 threads set, and I have management cpu set to 0,2 and detect cpu
> set to 4-14 (even number cores).
>
> 4) management cpu set is exclusive and high, so is detect cpu set
>
>
> Suricata starts up very quickly (few seconds) and consumes very little RAM.
> However, I get cpu 0 with a very small use %, and cpu's 4 & 14 pegged at
> 100%. kernel_drops are extremely high (compared to my working config).
>

This is - cpu's 4 and 14 are only pegged - not 4 through 14 (even
numbers only), is that correct?

>
> I know I've got a lot of variables in this setup, but does anyone see
> anything obviously wrong with how I've set things up? Should I stop
> separating out the management CPU set and just run them on the CPUs that the
> detect threads run on?
>
>
> Thanks,
>
> Joey Barkley
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net



-- 
Regards,
Peter Manev


More information about the Oisf-users mailing list