[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oisf-users
Subject:    Re: [Oisf-users] Processing threads vs Management threads
From:       Victor Julien <lists () inliniac ! net>
Date:       2017-11-01 15:32:05
Message-ID: 3ac06dd9-0723-6de8-798c-b8c256638af5 () inliniac ! net
[Download RAW message or body]

On 01-11-17 16:21, Ale Fredes Hadad wrote:
> Hello everyone!
> 
> I would like to ask a (dumb?) question. I am learning about Suricata and
> when I run it in IDS mode it shows that I have "all 4 processing
> threads, 4 management threads", so I understand that Suricata is using
> all the threads that are available to do management tasks ( receive-,
> decode-, stream-, detect-, verdict-, reject- and outputs-set). However,
> when I run Suricata in IPS mode it shows all 6 processing threads but
> only uses 4 threads for management. Why is that happening?
> Thanks!
> 

Packet threads process the packets, generally you'll have one per core
(or hyperthread) in 'workers' mode. In autofp you'll have 1 or more
capture threads, plus one per core (or hyperthread) doing detection,
logging, etc.

In IPS mode (at least for NFQ) you have an extra thread for IPS, the
'verdict' thread. It's communicates IPS 'verdicts' back to the kernel.

Management threads do asynchronous tasks independent of the packets. For
example manage the flow table, do stats logging, etc.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]