<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    snort_main_thread_pid is used for packet processing,
    snort_reload_thread_pid is for reloading.<br>
    <br>
    You might see from log:  <br>
    Commencing packet processing #main_thread_id<br>
    Reload thread started, thread #reload_thread_id<br>
    <br>
    Best,<br>
    Hui.<br>
    <div class="moz-cite-prefix">On 04/24/2014 07:55 AM, Y M wrote:<br>
    </div>
    <blockquote cite="mid:COL129-W55CE397612696C132F5F5DA85B0@...12678..."
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
      <div dir="ltr">>Snort packet processing is still single thread,
        but it also has other threads such as reload thread, control
        socket thread etc. The reload thread should be idle majority of
        the time.  If >you suspected it is restarting, you will not
        see any message like “snort reloaded…”. You will see “snort
        initializing “ or “restart” in the messages.
        <div><br>
        </div>
        <div>Thanks Hui. That pretty much explains it. Is there a way to
          tell which thread belongs to which Snort thread? </div>
        <div><br>
        </div>
        <div>YM<br>
          <br>
          <div>
            <hr id="stopSpelling">From: <a class="moz-txt-link-abbreviated" href="mailto:huica@...589...">huica@...589...</a><br>
            To: <a class="moz-txt-link-abbreviated" href="mailto:snort@...15979...">snort@...15979...</a>; <a class="moz-txt-link-abbreviated" href="mailto:wkitty42@...14940...">wkitty42@...14940...</a>;
            <a class="moz-txt-link-abbreviated" href="mailto:sgierczak@...16714...">sgierczak@...16714...</a><br>
            CC: <a class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br>
            Subject: Re: [Snort-users] AANVAL or MYSQL question<br>
            Date: Wed, 23 Apr 2014 22:03:07 +0000<br>
            <br>
            <div>Snort packet processing is still single thread, but it
              also has other threads such as reload thread, control
              socket thread etc. The reload thread should be idle
              majority of the time.  If you suspected it is restarting,
              you will not see any message like “snort reloaded…”. You
              will see “snort initializing “ or “restart” in the
              messages.</div>
            <div><br>
            </div>
            <div>Best,</div>
            <div>Hui.</div>
            <div><br>
            </div>
            <span id="ecxOLK_SRC_BODY_SECTION">
              <div
                style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium
                none;BORDER-LEFT:medium
                none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df
                1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt;">
                <span style="font-weight:bold;">From: </span>Y M <<a
                  moz-do-not-send="true" href="mailto:snort@...15979...">snort@...15979...</a>><br>
                <span style="font-weight:bold;">Date: </span>Wednesday,
                April 23, 2014 at 5:19 PM<br>
                <span style="font-weight:bold;">To: </span>waldo kitty
                <<a moz-do-not-send="true"
                  href="mailto:wkitty42@...14940...">wkitty42@...14940...</a>>,
                "Gierczak, Stan" <<a moz-do-not-send="true"
                  href="mailto:sgierczak@...16714...">sgierczak@...16714...</a>><br>
                <span style="font-weight:bold;">Cc: </span>snort-users
                <<a moz-do-not-send="true"
                  href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a>><br>
                <span style="font-weight:bold;">Subject: </span>Re:
                [Snort-users] AANVAL or MYSQL question<br>
              </div>
              <div><br>
              </div>
              <div>
                <style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}

.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}

--></style>
                <div class="ecxhmmessage">
                  <div dir="ltr">> @YM: maybe these are two threads
                    of the same process? i see similar on my own <br>
                    > systems... three of them if i compile with the
                    reload capability...
                    <div><br>
                    </div>
                    <div>Isn't Snort single-threaded? I wouldn't imagine
                      it will be creating another "thread" other than
                      its own. On systems i look for there is only one
                      process on every system I checked. May be OS
                      specific? not likely?</div>
                    <div><br>
                    </div>
                    <div>I forgot to mentions that my systems are also
                      compiled with reload. Which brings the question of
                      if the Snort has been reloaded (not restarted) on
                      these systems or these processes are showing up
                      after a clean reboot?</div>
                    <div><br>
                    </div>
                    <div>YM</div>
                    <br>
                    <div>
                      <hr id="ecxstopSpelling">
                      From: <a moz-do-not-send="true"
                        href="mailto:snort@...15979...">snort@...15979...</a><br>
                      To: <a moz-do-not-send="true"
                        href="mailto:wkitty42@...14940...">wkitty42@...14940...</a>;
                      <a moz-do-not-send="true"
                        href="mailto:sgierczak@...16714...">
                        sgierczak@...16714...</a><br>
                      Date: Wed, 23 Apr 2014 21:13:32 +0000<br>
                      CC: <a moz-do-not-send="true"
                        href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br>
                      Subject: Re: [Snort-users] AANVAL or MYSQL
                      question<br>
                      <br>
                      <style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}

.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}


--></style>
                      <div dir="ltr">> @YM: maybe these are two
                        threads of the same process? i see similar on my
                        own <br>
                        > systems... three of them if i compile with
                        the reload capability...
                        <div><br>
                        </div>
                        <div>Isn't Snort single-threaded? I wouldn't
                          imagine it will be creating another "thread"
                          other than its own. On systems i look for
                          there is only one process on every system I
                          checked. May be OS specific? not likely?</div>
                        <div><br>
                        </div>
                        <div>YM<br>
                          <br>
                          <div>> Date: Wed, 23 Apr 2014 13:49:37
                            -0400<br>
                            > From: <a moz-do-not-send="true"
                              href="mailto:wkitty42@...14940...">wkitty42@...14940...</a><br>
                            > To: <a moz-do-not-send="true"
                              href="mailto:SGierczak@...16714...">SGierczak@...16714...</a>;
                            <a moz-do-not-send="true"
                              href="mailto:snort@...15979...">snort@...15979...</a>;
                            <a moz-do-not-send="true"
                              href="mailto:snort-users@lists.sourceforge.net">
                              snort-users@lists.sourceforge.net</a><br>
                            > Subject: Re: [Snort-users] AANVAL or
                            MYSQL question<br>
                            > <br>
                            > On 4/22/2014 1:09 PM, Gierczak, Stan
                            wrote:<br>
                            > [...]<br>
                            > > snort 1321 82.3 12.3 633956 501136
                            ? Rsl Apr21 1393:18<br>
                            > > /usr/sbin/snort -A fast -b -d -D
                            -i eth0 -u snort -g snort -c<br>
                            > > /etc/snort/snort.conf -l
                            /var/log/snort/eth0<br>
                            > ><br>
                            > > snort 3514 66.1 7.6 633684 308620
                            ? Rsl 12:01 4:34 /usr/sbin/snort<br>
                            > > -A fast -b -d -D -i eth0 -u snort
                            -g snort -c /etc/snort/snort.conf -l<br>
                            > > /var/log/snort/eth0<br>
                            > <br>
                            > @YM: maybe these are two threads of the
                            same process? i see similar on my own <br>
                            > systems... three of them if i compile
                            with the reload capability...<br>
                            > <br>
                            > -- <br>
                            > NOTE: No off-list assistance is given
                            without prior approval.<br>
                            > Please keep mailing list traffic on the
                            list unless<br>
                            > private contact is specifically
                            requested and granted.<br>
                          </div>
                        </div>
                      </div>
                      <br>
                      ------------------------------------------------------------------------------
                      Start Your Social Network Today - Download eXo
                      Platform Build your Enterprise Intranet with eXo
                      Platform Software Java Based Open Source Intranet
                      - Social, Extensible, Cloud Ready Get Started Now
                      And Turn Your Intranet Into A Collaboration
                      Platform <a moz-do-not-send="true"
                        href="http://p.sf.net/sfu/ExoPlatform"
                        target="_blank">
                        http://p.sf.net/sfu/ExoPlatform</a><br>
                      _______________________________________________
                      Snort-users mailing list <a
                        moz-do-not-send="true"
                        href="mailto:Snort-users@lists.sourceforge.net">
                        Snort-users@lists.sourceforge.net</a> Go to this
                      URL to change user options or unsubscribe:
                      <a moz-do-not-send="true"
                        href="https://lists.sourceforge.net/lists/listinfo/snort-users"
                        target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
                      Snort-users list archive:
                      <a moz-do-not-send="true"
href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users"
                        target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>
                      Please visit
                      <a moz-do-not-send="true"
                        href="http://blog.snort.org" target="_blank">http://blog.snort.org</a>
                      to stay current on all the latest Snort news!</div>
                  </div>
                </div>
              </div>
            </span></div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>