[Oisf-users] AF_PACKET: fanout not supported on this system, falling back to 1 capture thread
ltow at centrum.cz
ltow at centrum.cz
Tue Oct 4 23:04:48 UTC 2016
Hello,
using stop Debian Jessie kernel:
root at mirach:~# uname -a
Linux mirach 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux
and jessie-backport Suricata package:
root at mirach:~# suricata -V
This is Suricata version 3.1.2 RELEASE
I am not able to use AF_PACKET fanout, as check for fanout is failing and only one detect thread is started instead:
root at mirach:~# suricata -c /etc/suricata/suricata.yaml --af-packet=eth2 --runmode workers -vvvvv
......
5/10/2016 -- 00:47:59 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
5/10/2016 -- 00:47:59 - <Info> - stats output device (regular) initialized: stats.log
5/10/2016 -- 00:47:59 - <Notice> - fanout not supported on this system, falling back to 1 capture thread
5/10/2016 -- 00:47:59 - <Info> - Going to use 1 thread(s)
5/10/2016 -- 00:47:59 - <Info> - Using unix socket file '/var/run/suricata-command.socket'
My intentions are to use CPU affinity on NIC IRQs to distribute the traffic and bound one Suricata worker thread to each CPU to process packets.
As kernel version is definitely higher than required for AF_PACKET I would expect fanout to be fully supported. So probably just the check added in Suricata version 3.1 to validate fanout support is failing?
Here are the relevant parts of cfg:
host-mode: auto
runmode: workers
af-packet:
- interface: eth2
threads: 16
cluster-id: 99
cluster-type: cluster_cpu
defrag: yes
use-mmap: yes
mmap-locked: yes
ring-size: 1024
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: [ "all" ]
mode: "balanced"
prio:
default: "low"
- worker-cpu-set:
cpu: [ 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31 ]
mode: "exclusive"
prio:
default: "high"
detect-thread-ratio: 1.0
Do you have any hints please? Thank you. :-)
BR
Litin
More information about the Oisf-users
mailing list