Control of threads for pcap-file ingestion with unix socket

I’m running Suricata in with a unix socket (--unix-socket --set unix-command.enabled=true) for processing a bunch of PCAP files, sending them with the pcap-file command.

I’ve read the documentation on threading, but it’s not clear to me: which setting(s) control how many concurrent PCAP files are processed using this method? In other words, if I queue 10 PCAP files via a pcap-file command, how can I designate to Suricata that I would like to use 2 (or 3 or 4 or whatever) threads concurrently to work through those PCAP files?

After playing around with it, I think the minimum configuration to do what I’m talking about is this, but I’d love a sanity check:

threading:
  set-cpu-affinity: yes
  cpu-affinity:
  - worker-cpu-set:
      cpu:
      - all
      mode: balanced
      threads: 3

From what I can see, this is, I think, creating 3 worker threads. Are there other CPU sets (receive-cpu-set?) that also need this treatment?

Can you share your suricata.yaml config and how you run Suricata? Ideally also at stats.log and suricata.log.

The threading settings are mostly depending on the runmode.

Thanks for checking in. I’ve been running this for about three weeks now and have been pretty satisfied that I’ve done it correctly, but here’s my files:

suricata.log (1.5 KB)
suricata.yaml (76.7 KB)

In this example I have 2 threads for PCAP processing (see the threading section at the bottom).

Do the stats in the stats.log also look as expected?