[Oisf-users] Processing threads vs Management threads
Victor Julien
lists at inliniac.net
Wed Nov 1 15:32:05 UTC 2017
On 01-11-17 16:21, Ale Fredes Hadad wrote:
> Hello everyone!
>
> I would like to ask a (dumb?) question. I am learning about Suricata and
> when I run it in IDS mode it shows that I have "all 4 processing
> threads, 4 management threads", so I understand that Suricata is using
> all the threads that are available to do management tasks ( receive-,
> decode-, stream-, detect-, verdict-, reject- and outputs-set). However,
> when I run Suricata in IPS mode it shows all 6 processing threads but
> only uses 4 threads for management. Why is that happening?
> Thanks!
>
Packet threads process the packets, generally you'll have one per core
(or hyperthread) in 'workers' mode. In autofp you'll have 1 or more
capture threads, plus one per core (or hyperthread) doing detection,
logging, etc.
In IPS mode (at least for NFQ) you have an extra thread for IPS, the
'verdict' thread. It's communicates IPS 'verdicts' back to the kernel.
Management threads do asynchronous tasks independent of the packets. For
example manage the flow table, do stats logging, etc.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list