[Oisf-users] Runmode workers

Victor Julien lists at inliniac.net
Thu Mar 10 15:44:16 UTC 2016


On 10-03-16 16:34, Victor Julien wrote:
> On 10-03-16 16:25, elof2 at sentor.se wrote:
>>
>> Hi!
>>
>> On Mon, 30 Nov 2015, Victor Julien wrote:
>>> In short: don't use auto.
>>>
>>> In general we recommend workers instead of autofp, so I suggest going
>>> for that.
>>
>> ...and today, Oliver Humpage wrote:
>>
>>>> recommended runmode?
>>> Default of autofp works fine here. worker specifically won’t work IIRC.
>>
>>
>>
>> Two contradicting recommendations...
>>
>> Suricata.yaml use autofp per default if you don't manually specify workers.
>>
>> So what gives?
>> Should I use autofp or workers on FreeBSD sensors with netmap and intel
>> 10GE NICs?
>>
>>
>> I assume the answer is "workers".
>>
>> Then my immediate question is:
>> Why don't the default suricata.yaml use "workers" if it is recommended?
> 
> Workers isn't very useful when there is a single reader, e.g. in pcap
> mode. In that case it would just use a single thread.
> 
> Autofp can use that single reader to feed multiple threads. As autofp
> gives reasonable performance in more scenarios it's the default.
> 
> But if your capture method supports workers properly, use that.
> 

Btw, I think that in 3.1 we'll update the behavior to be capture method
specific. Meaning that if you use netmap/afpacket/pfring, it's going to
automatically use workers.

An older branch of that work is here
https://github.com/inliniac/suricata/pull/1737

I will create an up to date version of that soon, now that bug 1591 is
fixed.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list