Hello Peter,
thank you for reply.
even on the same NIC with multiple physical interfaces (multiport NIC) these be treated separately.
Regarding passive TAP mode, I agree, that suricata shall see flow from both sides. But I didn’t found any information, that traffic has to come to the same interface! For example Suricata in IPS mode will also receive both direction of the traffic on two interfaces. So I would welcome more informations about how Suricata could handle passive TAPs.
But as this is IMHO not related to the issue described above, I would not like to mix these two topics together. I will create another topic for discussing passive TAPs.
So regarding my current issue, short summary:
- we can see packets coming to RSS queues spread ~ evenly.
- we can see RSS queues pinned to correct CPU cores.
- we can see Suricata threads pinned to the same CPU cores.
- half of the cores (the second threads on the se phys CPU cores) are not being loaded by Suricata worker process (observed in both top and htop)