Support #2635
closedMulti-threading not working correctly
Description
I have been troubleshooting an issue we are having with Suricata's multi-threading.
Some of the tcp based alerts aren't getting triggered when Suricata is running in IDS interface sniffing mode with AF_Packet.
While running it in offline mode, with runmode: single, reading a pcap of some traffic I generated from my laptop (using $curl -A "SearchProtect" http://cnn.com), will fire some alerts (eg: sid: 2022813), which never gets fired when running suricata in packet sniffing mode and generating same traffic from my laptop. I verified that the traffic is reaching the box and not getting dropped on the interface.
I narrowed down the issue to be something to do with how packets are getting distributed in multi-threading mode in suricata, and maybe because of packets re-ordering the tcp based alerts do not get fired often.
I have followed the steps in SepTune doc to pin the Interrupts/IRQs to the specific cpus and use rest as "workers", but no success so far.
Updated by Andreas Herz about 6 years ago
Can you give us more details about your setup, especially configuration and how you run suricata (commandline)?
Updated by Andreas Herz over 5 years ago
- Assignee set to FATEMA WALA
- Target version set to Support
Updated by Andreas Herz about 5 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs