Running suricata in single threaded mode with windivert module

Prateek · February 27, 2023, 6:06am

How can we run Suricata in single threaded mode with windivert?

Using the below command:
suricata.exe -c suricata.yaml --windivert “true”
I got this as output.

How do I make packet processing threads and management threads initialized to 1.

The runmode type for windivert is : autofp only, below is the attachment:

Is it possible to make suricata run on single thread with windivert?

Andreas_Herz · February 27, 2023, 7:06pm

I didn’t try it on windivert but you can control the cpu affinity in the config file, see 10.1. Suricata.yaml — Suricata 6.0.10 documentation

PrateekPrabhu · March 1, 2023, 8:54am

@Andreas_Herz
I made the changes in the yaml file as you said,

But I could not change the packet processing threads.

Here is the output to list the runmode:

Here, by default windivert is working on multi-thread.

Is there any way to change it or should I compile the source code and make the changes?

Andreas_Herz · March 1, 2023, 8:57am

Please paste your config file first so we can check the settings.

PrateekPrabhu · March 1, 2023, 9:01am

@Andreas_Herz
Sure, this is the config file:
suricata.yaml (72.7 KB)
Let me know if any other changes are required.
Thanks

Andreas_Herz · March 1, 2023, 6:58pm

First of all I just noticed you are using 6.0.0 beta1, please use the stable 6.0.10 release.

Second, you can chance the prio section in the affinity to also use just the core 0 and in addition to that feel free to try out the detect-thread-ratio setting and reduce it to 0.5 or even lower.

I personally never tried it on windows, so see those second points just as possible suggestion. Also what CPU is used in that scenario?

PrateekPrabhu · March 7, 2023, 9:19am

Hi @Andreas_Herz
I used 6.0.0 beta1 because in that installer, windivert was enabled. I tried with the 6.0.10, but windivert was disabled.
I tried with with the points which you shared, by reducing thread-ratio, but the thread count was not set to 1.
I am using it on the machine with 8 CPU and 8 cores.
If there is any other solution, please share it.
Thank you.

vjulien · March 7, 2023, 10:23am

Check:
https://www.openinfosecfoundation.org/downloads/windows/

E.g. 6.0.10:
https://www.openinfosecfoundation.org/downloads/windows/Suricata-6.0.10-windivert-1-64bit.msi

PrateekPrabhu · March 7, 2023, 11:21am

Hi @vjulien
Thank you for sharing the link.
I installed this and tried to run suricata with windivert and made the changes in the configuration file to make it single threaded, but still it runs in multi-threaded mode itself.

vjulien · March 7, 2023, 4:00pm

Looks like no “single” mode is implemented for our windivert integration.

PrateekPrabhu · March 8, 2023, 10:40am

@vjulien Thank you for the help

Topic		Replies	Views
Workers mode : forced to one thread? Help pfsense	18	4761	June 15, 2021
How to enable more capture threads in autofp mode? Help suricata	2	309	May 19, 2023
Suricata 6.0.4: SURICATA STREAM pkt seen on wrong thread Help	6	1226	June 7, 2022
AF_Packets using only one capture thread Help ips	3	1809	April 5, 2021
Performance and cpu usage Suricata 6/5 Developers	6	708	April 4, 2022

Running suricata in single threaded mode with windivert module

Related Topics