[Oisf-users] Runmode workers

Thu Mar 10 16:12:14 UTC 2016

On 10-03-16 16:44, Victor Julien wrote:
> On 10-03-16 16:34, Victor Julien wrote:
>> On 10-03-16 16:25, elof2 at sentor.se wrote:
>>>
>>> Hi!
>>>
>>> On Mon, 30 Nov 2015, Victor Julien wrote:
>>>> In short: don't use auto.
>>>>
>>>> In general we recommend workers instead of autofp, so I suggest going
>>>> for that.
>>>
>>> ...and today, Oliver Humpage wrote:
>>>
>>>>> recommended runmode?
>>>> Default of autofp works fine here. worker specifically won’t work IIRC.
>>>
>>>
>>>
>>> Two contradicting recommendations...
>>>
>>> Suricata.yaml use autofp per default if you don't manually specify workers.
>>>
>>> So what gives?
>>> Should I use autofp or workers on FreeBSD sensors with netmap and intel
>>> 10GE NICs?
>>>
>>>
>>> I assume the answer is "workers".
>>>
>>> Then my immediate question is:
>>> Why don't the default suricata.yaml use "workers" if it is recommended?
>>
>> Workers isn't very useful when there is a single reader, e.g. in pcap
>> mode. In that case it would just use a single thread.
>>
>> Autofp can use that single reader to feed multiple threads. As autofp
>> gives reasonable performance in more scenarios it's the default.
>>
>> But if your capture method supports workers properly, use that.
>>
> 
> Btw, I think that in 3.1 we'll update the behavior to be capture method
> specific. Meaning that if you use netmap/afpacket/pfring, it's going to
> automatically use workers.

Actually, I am mixing up things. This feature is already in 3.0.

> An older branch of that work is here
> https://github.com/inliniac/suricata/pull/1737
> 
> I will create an up to date version of that soon, now that bug 1591 is
> fixed.

This is about making -i use afpacket if available. I just rebased that:
https://github.com/inliniac/suricata/pull/1922

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------