[Oisf-users] Runmode workers
Victor Julien
lists at inliniac.net
Thu Mar 10 10:34:19 EST 2016
On 10-03-16 16:25, elof2 at sentor.se wrote:
>
> Hi!
>
> On Mon, 30 Nov 2015, Victor Julien wrote:
>> In short: don't use auto.
>>
>> In general we recommend workers instead of autofp, so I suggest going
>> for that.
>
> ...and today, Oliver Humpage wrote:
>
>>> recommended runmode?
>> Default of autofp works fine here. worker specifically won’t work IIRC.
>
>
>
> Two contradicting recommendations...
>
> Suricata.yaml use autofp per default if you don't manually specify workers.
>
> So what gives?
> Should I use autofp or workers on FreeBSD sensors with netmap and intel
> 10GE NICs?
>
>
> I assume the answer is "workers".
>
> Then my immediate question is:
> Why don't the default suricata.yaml use "workers" if it is recommended?
Workers isn't very useful when there is a single reader, e.g. in pcap
mode. In that case it would just use a single thread.
Autofp can use that single reader to feed multiple threads. As autofp
gives reasonable performance in more scenarios it's the default.
But if your capture method supports workers properly, use that.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list