~~~~~~~~~~~~~~~~~~
You can choose a runmode out of several predefined runmodes. The
-command line option --list-runmodes shows all available runmodes. All
-runmodes have a name: auto, single, autofp. The heaviest task is the
-detection; a packet will be checked against thousands of signatures.
+command line option --list-runmodes shows all available runmodes. All
+runmodes have a name: single, workers, autofp.
-Example of the default runmode:
+Generally, the ``workers`` runmode performs the best. In this mode the
+NIC/driver makes sure packets are properly balanced over Suricata's
+processing threads. Each packet processing thread then contains the
+full packet pipeline.
-.. image:: runmodes/threading1.png
+.. image:: runmodes/workers.png
-In the pfring mode, every flow follows its own fixed route in the runmode.
+For processing PCAP files, or in case of certain IPS setups (like NFQ),
+``autofp`` is used. Here there are one or more capture threads, that
+capture the packet and do the packet decoding, after which it is passed
+on to the ``flow worker`` threads.
-.. image:: runmodes/Runmode_autofp.png
+.. image:: runmodes/autofp1.png
+
+.. image:: runmodes/autofp2.png
+
+Finally, the ``single`` runmode is the same as the ``workers`` mode,
+however there is only a single packet processing thread. This useful
+during development.
+
+.. image:: runmodes/single.png
For more information about the command line options concerning the
runmode, see :doc:`../command-line-options`.
projects / people / ms / suricata.git / commitdiff
