Hi
I am using PCAP files to test the performance of Suricata 6.0.10. I want to test its performance with different threads and cores. I read from https://suricata.readthedocs.io that multiply capture threads are supported in autofp mode. However, I can’t find how to enable it.
I configured the CPU-affinity option in Suricata.yaml like this;
threading:
set-cpu-affinity: yes
# Tune cpu affinity of threads. Each family of threads can be bound
# to specific CPUs.
#
# These 2 apply to the all runmodes:
# management-cpu-set is used for flow timeout handling, counters
# worker-cpu-set is used for 'worker' threads
#
# Additionally, for autofp these apply:
# receive-cpu-set is used for capture threads
# verdict-cpu-set is used for IPS verdict threads
#
cpu-affinity:
- management-cpu-set:
cpu: [84-91]
- receive-cpu-set:
cpu: [92-95]
- worker-cpu-set:
cpu: [28-31]
mode: "exclusive"
# Use explicitly 3 threads and don't compute number by using
# detect-thread-ratio variable:
threads: 4
prio:
# low: [ 0 ]
# medium: [ "1-2" ]
# high: ["28-35", "84-91"]
default: "high"
#- verdict-cpu-set:
# cpu: [ 0 ]
# prio:
# default: "high"
You can see I set CPU 92-95 to receive-cpu-set, which should be used to configure multi capture threads. But I only see core 92 is working. It seems like only one capture thread is configure. I wonder why this happened. Can you tell me how to enable multi capture threads?
I use 6 pcap files and autofp mode. I run Suricata with this command:
./bench_install_root/usr/bin/suricata -c ./suricata.yaml -r ./pcap_files -l ./log_std/log_hs_hs
Thanks!!!