From: Jason Ish <ish@unx.ca>
Date: Thu, 17 Dec 2015 17:18:04 +0000 (-0600)
Subject: doc: runmodes
X-Git-Tag: suricata-3.2beta1~240
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f97c045bf11d4c579e44eed2a36bf533fc57c86a;p=thirdparty%2Fsuricata.git

doc: runmodes
---

diff --git a/doc/sphinx/performance/index.rst b/doc/sphinx/performance/index.rst
index bfdf391048..d76b8082cc 100644
--- a/doc/sphinx/performance/index.rst
+++ b/doc/sphinx/performance/index.rst
@@ -8,3 +8,4 @@ Performance
    statistics
    packet-profiling
    rule-profiling
+   runmodes
diff --git a/doc/sphinx/performance/runmodes.rst b/doc/sphinx/performance/runmodes.rst
new file mode 100644
index 0000000000..0927501e12
--- /dev/null
+++ b/doc/sphinx/performance/runmodes.rst
@@ -0,0 +1,35 @@
+Runmodes
+========
+
+Suricata consists of several 'building blocks' called threads,
+thread-modules and queues.  A thread is like a process that runs on a
+computer. Suricata is multi-threaded, so multiple threads are active
+at once.  A thread-module is a part of a functionality. One module is
+for example for decoding a packet, another is the detect-module and
+another one the output-module.  A packet can be processed by more than
+one thread. The packet will be passed on to the next thread through a
+queue. Packets will be processed by one thread at a time, but there
+can be multiple packets being processed at a time by the engine. (see
+[[**FIXME** suricata.yaml#max-pending-packets]]) A thread can have one or more
+thread-modules. If they have more modules, they can only be active on
+a a time.  The way threads, modules and queues are arranged together
+is called the Runmode.
+
+Different runmodes
+~~~~~~~~~~~~~~~~~~
+
+You can choose a runmode out of several predefined runmodes. The
+command line option --list-runmodes shows all available runmodes.  All
+runmodes have a name: auto, single, autofp.  The heaviest task is the
+detection; a packet will be checked against thousands of signatures.
+
+Example of the default runmode:
+
+.. image:: runmodes/threading1.png
+
+In the pfring mode, every flow follows its own fixed route in the runmode.
+
+.. image:: runmodes/Runmode_autofp.png
+
+For more information about the command line options concerning the
+runmode, see :doc:`../command-line-options`.
diff --git a/doc/sphinx/performance/runmodes/Runmode_autofp.png b/doc/sphinx/performance/runmodes/Runmode_autofp.png
new file mode 100644
index 0000000000..42db21d731
Binary files /dev/null and b/doc/sphinx/performance/runmodes/Runmode_autofp.png differ
diff --git a/doc/sphinx/performance/runmodes/threading1.png b/doc/sphinx/performance/runmodes/threading1.png
new file mode 100644
index 0000000000..399bf67fca
Binary files /dev/null and b/doc/sphinx/performance/runmodes/threading1.png differ