[Snort-devel] How to force Snort 3.0 Alpha to run in multiple threads

Russ rucombs at ...3461...
Tue Nov 17 05:26:10 EST 2015



On 11/17/15 2:16 AM, Dong Phuong wrote:
> Hi all,
> I’m testing Snort 3.0.0-a2 with the options –max-packet-threads is 
> configured to 2, 4 , 8 …, like this :
> $ sudo /usr/local/snort3/bin/snort -c 
> /usr/local/snort3/etc/snort/snort.lua -R 
> /usr/local/snort3/etc/snort/sample.rules -r ../ni0.pcap -n 600000 -z 8
> However, when I used valgrind to check  the number of threads that 
> Snort is actually running on, there’s always just 2 threads :
> ==2672== ---Thread-Announcement------------------------------------------
> ==2672==
> ==2672== Thread #2 was created
> ==2672== at 0x78288FE: clone (in /lib64/libc-2.12.so)
> ==2672== by 0x4E368BF: do_clone.clone.0 (in /lib64/libpthread-2.12.so)
> ==2672== by 0x4E36E1C: pthread_create@@GLIBC_2.2.5 (in 
> /lib64/libpthread-2.12.so)
> ==2672== by 0x4C2CF3C: pthread_create_WRK (hg_intercepts.c:255)
> ==2672== by 0x4C2D04B: pthread_create@* (hg_intercepts.c:286)
> ==2672== by 0x705184E: 
> std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>) 
> (gthr-default.h:662)
> ==2672== by 0x416447: Pig::start(unsigned int, char const*, Swapper*) 
> (thread:135)
> ==2672== by 0x416CD8: main (main.cc:818)
> ==2672==
> ==2672== ----------------------------------------------------------------
> So is there anyway to force Snort to run on more than 2 threads ?
Yes - you need to provide more than 1 source (pcap or iface). Currently 
Snort++ does not do internal load balancing which means all packets from 
a source go to the same thread, so to use multiple threads provide 
multiple sources.  Check the usage section in the manual for examples 
with -z or --max-packet-threads.
> Thank you,
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20151117/94e5d214/attachment.html>


More information about the Snort-devel mailing list