Snort mailing list archives
Re: How to force Snort 3.0 Alpha to run in multiple threads
From: Russ <rucombs () cisco com>
Date: Tue, 17 Nov 2015 05:26:10 -0500
On 11/17/15 2:16 AM, Dong Phuong wrote:
Yes - you need to provide more than 1 source (pcap or iface). Currently Snort++ does not do internal load balancing which means all packets from a source go to the same thread, so to use multiple threads provide multiple sources. Check the usage section in the manual for examples with -z or --max-packet-threads.Hi all,I’m testing Snort 3.0.0-a2 with the options –max-packet-threads is configured to 2, 4 , 8 …, like this : $ sudo /usr/local/snort3/bin/snort -c /usr/local/snort3/etc/snort/snort.lua -R /usr/local/snort3/etc/snort/sample.rules -r ../ni0.pcap -n 600000 -z 8 However, when I used valgrind to check the number of threads that Snort is actually running on, there’s always just 2 threads :==2672== ---Thread-Announcement------------------------------------------ ==2672== ==2672== Thread #2 was created ==2672== at 0x78288FE: clone (in /lib64/libc-2.12.so) ==2672== by 0x4E368BF: do_clone.clone.0 (in /lib64/libpthread-2.12.so)==2672== by 0x4E36E1C: pthread_create@@GLIBC_2.2.5 (in /lib64/libpthread-2.12.so)==2672== by 0x4C2CF3C: pthread_create_WRK (hg_intercepts.c:255) ==2672== by 0x4C2D04B: pthread_create@* (hg_intercepts.c:286)==2672== by 0x705184E: std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>) (gthr-default.h:662) ==2672== by 0x416447: Pig::start(unsigned int, char const*, Swapper*) (thread:135)==2672== by 0x416CD8: main (main.cc:818) ==2672== ==2672== ---------------------------------------------------------------- So is there anyway to force Snort to run on more than 2 threads ?
Thank you, ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- How to force Snort 3.0 Alpha to run in multiple threads Dong Phuong (Nov 16)
- Re: How to force Snort 3.0 Alpha to run in multiple threads Russ (Nov 17)