https://inliniac.net/blog/tag/threading/ Recent content in Threading on Inliniac Hugo en Tue, 10 Jul 2012 15:22:02 +0000 https://inliniac.net/blog/2012/07/10/suricata-on-myricom-capture-cards/ Tue, 10 Jul 2012 15:22:02 +0000 https://inliniac.net/blog/2012/07/10/suricata-on-myricom-capture-cards/ <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/myricom-sync-adapter-1.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/07/myricom-sync-adapter-1.png?w=300" alt=""></a> Myricom and OISF just <a href="http://www.openinfosecfoundation.org/index.php/component/content/article/1-latest-news/158-myricom-joins-oisf">announced</a> that Myricom joined to OISF consortium to support the development of Suricata. The good folks at Myricom already sent me one of their cards earlier. In this post I&rsquo;ll describe how you can use these cards already, even though Suricata doesn&rsquo;t have native Myricom support yet. So in this guide I&rsquo;ll describe using the Myricom libpcap support.</p> <p><strong>Getting started</strong></p> <p>I&rsquo;m going to assume you installed the card properly, installed the Sniffer driver and made sure that all works. Make sure that in your <em>dmesg</em> you see that the card is in sniffer mode:</p> https://inliniac.net/blog/2012/05/29/suricata-scaling-improvements/ Tue, 29 May 2012 15:52:52 +0000 https://inliniac.net/blog/2012/05/29/suricata-scaling-improvements/ <p>For the Suricata 1.3beta1 release, one of our goals was to improve the scalability of the engine when running on many cores. As the graph below shows, we made a good deal of progress.</p> <p><a href="https://inliniac.net/blog/blog/wp-content/uploads/2012/05/suri11vs13.png"><img src="https://inliniac.net/blog/blog/wp-content/uploads/2012/05/suri11vs13.png" alt=""></a></p> <p>The blue line is an older 1.1 version, the yellow line is 1.3dev. It clearly shows that 1.1 peaked at 4 cores, then started to get serious contention issues. 1.3dev scales nicely beyond that, up to 24 cores in this test (four 6core AMD cpu&rsquo;s). Tilera recently demonstrated Suricata on their many core systems, running a single Suricata process per cpu. Their cpu&rsquo;s have 36 real cores.</p> https://inliniac.net/blog/2012/03/23/suricata-runmode-changes/ Fri, 23 Mar 2012 07:31:45 +0000 https://inliniac.net/blog/2012/03/23/suricata-runmode-changes/ <p>Yesterday I pushed a patch that changes the default runmode from &ldquo;auto&rdquo; to &ldquo;autofp&rdquo;. The autofp name stands for &ldquo;auto flow pinning&rdquo; and it automatically makes sure all packets belonging to a flow are processed by the same stream, detection and output thread. Until now, the assignment was done with a simple hash calculation. The problem with that is that it doesn&rsquo;t take into account how busy a thread may be.</p> https://inliniac.net/blog/2010/12/24/listening-on-multiple-interfaces-with-suricata/ Fri, 24 Dec 2010 13:13:24 +0000 https://inliniac.net/blog/2010/12/24/listening-on-multiple-interfaces-with-suricata/ <p>A question I see quite often is, can I listen on multiple interfaces with a single Suricata instance? Until now the answer always was &ldquo;no&rdquo;. I&rsquo;d suggest trying the &ldquo;any&rdquo;-pseudo interface (suricata -i any), with an bpf to limit the traffic or using multiple instances of Suricata. That last suggestion was especially painful, as one of the goals of Suricata is to allow a single process to process all packets using all available resources.</p>