Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Suricata using only one core
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata using only one core (Read 13981 times)
ejprice
Newbie
Posts: 33
Karma: 6
Suricata using only one core
«
on:
March 03, 2017, 04:55:36 am »
Forgive my newbieness but it appears to me that Suricata while being multithreaded is only using one core on my OPNSense box. I noticed this while doing multiple downloads of large files simultaneously.
I initially noticed it because I wanted to check the load on my new OPNSense firewall. After running 'top' from the shell I noticed one CPU running Suricata was pinned at 100% while the other was relatively idle. I then did some checking about Suricata to see if it was multithreaded or multiprocess. It claims to be multithreaded. I tried the downloads again, same behavior so I put 'top' into threads mode. Sure enough, multiple threads but the ones under load were running on the same core.
I don't believe this is the correct or expected behavior for a multithreaded application.
System in question is OPNSense 17.1.2 running on a x86_64 Core 2 Duo with 2GB ram and SSD drive.
Steps to reproduce:
1) Download multiple streams of "stuff" at a sufficiently high download speed
2) run top or something else to watch the load on the system. Press "H" to view all the threads under load running on one core (there were other Suricata threads but with little to no CPU time)
Can anyone else confirm this behavior?
Logged
"Computers allow people to make mistakes faster than anything else in history, with the possible exception of handguns and tequila."
KD93
Newbie
Posts: 1
Karma: 0
Re: Suricata using only one core
«
Reply #1 on:
March 16, 2017, 08:36:55 am »
Same for me.
Suricata is running on one interface for me (em1) and shows the following threads when it's under high load:
PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND
33051 root 103 0 898M 475M CPU1 1 3:49 100.00% suricata{W#01-em1+}
33051 root -92 0 898M 475M select 2 0:42 16.55% suricata{W#01-em1}
33051 root 20 0 898M 475M uwait 2 0:24 0.33% suricata{FM#01}
33051 root 20 0 898M 475M nanslp 1 0:18 0.16% suricata{suricata}
Logged
ejprice
Newbie
Posts: 33
Karma: 6
Re: Suricata using only one core
«
Reply #2 on:
March 28, 2017, 05:07:04 pm »
Anyone else try testing this? It seems to be a very limiting factor on a SMP box.
Logged
"Computers allow people to make mistakes faster than anything else in history, with the possible exception of handguns and tequila."
tcmax
Newbie
Posts: 8
Karma: 1
Re: Suricata using only one core
«
Reply #3 on:
March 28, 2017, 05:17:56 pm »
Me too on a APU2C4 with latest 17.1.3
Logged
sagem2004
Newbie
Posts: 40
Karma: 2
Re: Suricata using only one core
«
Reply #4 on:
March 28, 2017, 05:39:33 pm »
Me too on a J1900 Router Qotom-Q190G4N 17.1.3
Logged
rgo
Newbie
Posts: 27
Karma: 1
Re: Suricata using only one core
«
Reply #5 on:
March 28, 2017, 06:44:30 pm »
Same here on 3 different test installs of opnsense for 17.1.3. Only using 1 core.
Logged
tcmax
Newbie
Posts: 8
Karma: 1
Re: Suricata using only one core
«
Reply #6 on:
March 28, 2017, 06:54:21 pm »
Any chance to force suricata using more cores?
Logged
ejprice
Newbie
Posts: 33
Karma: 6
Re: Suricata using only one core
«
Reply #7 on:
March 28, 2017, 08:06:10 pm »
I've tried changing some of the Suricata settings but so far no luck.
Logged
"Computers allow people to make mistakes faster than anything else in history, with the possible exception of handguns and tequila."
tcmax
Newbie
Posts: 8
Karma: 1
Re: Suricata using only one core
«
Reply #8 on:
March 29, 2017, 05:09:30 pm »
Here ist a part from the boot logfile.
Maybe that´s the reason...?!
"Starting suricata.
29/3/2017 -- 16:57:19 - <Warning> - [ERRCODE: SC_WARN_FASTER_CAPTURE_AVAILABLE(275)] - faster capture option is available: NETMAP (--netmap=igb1). Use --pcap=igb1 to suppress this warning
29/3/2017 -- 16:57:19 - <Info> - Including configuration file installed_rules.yaml.
Starting CRON...done."
«
Last Edit: March 29, 2017, 05:28:39 pm by tcmax
»
Logged
ejprice
Newbie
Posts: 33
Karma: 6
Re: Suricata using only one core
«
Reply #9 on:
March 29, 2017, 10:43:15 pm »
Hmm. My command line shows I'm using netmap. I think that is the out-of-the-box setting.
/usr/local/bin/suricata -D --netmap --pidfile /var/run/suricata.pid {...}
Logged
"Computers allow people to make mistakes faster than anything else in history, with the possible exception of handguns and tequila."
johan
Newbie
Posts: 2
Karma: 0
Re: Suricata using only one core
«
Reply #10 on:
April 27, 2017, 09:42:05 pm »
I seem to get Suricata to distribute load more evenly among cores by switching the runmode from "workers" to "autofp".
The work that Suricata assign cores is quite different with the runmodes, described shortly here:
http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#ips-mode
What I did was change
runmode: workers
to
runmode: autofp
in
/usr/local/etc/suricata/suricata.yaml
and restart suricata using the gui.
Logged
tcmax
Newbie
Posts: 8
Karma: 1
Re: Suricata using only one core
«
Reply #11 on:
April 29, 2017, 11:06:56 am »
when i change this parameter, my throughpout drops from 7.6 mb/sec to 5.4 mb/sec :-(
HW: APU2C4
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
Suricata using only one core