<div dir="ltr"><div><div><div><br></div>No actually on RHEL7. I'm starting to think that perhaps netmap pipes isn't supported in Suricata, maybe someone can confirm this? I was basing this configuration somewhat around the documentation here: <a href="http://suricata.readthedocs.io/en/latest/performance/packet-capture.html">http://suricata.readthedocs.io/en/latest/performance/packet-capture.html</a> as it references using the lb tool to load balance.<br><br></div>I attempted to confirm the TX/RX as you suggested with tcpdump, which required compiling libpcap and tcpdump w/ netmap support. But no dice binding to the netmap pipe foo, (I could however bind to the interface).<br><br></div>-James<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 31, 2017 at 4:03 PM, Michael Shirk <span dir="ltr"><<a href="mailto:shirkdog.bsd@gmail.com" target="_blank">shirkdog.bsd@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">I am assuming you are trying with FreeBSD?<div dir="auto"><br></div><div dir="auto">If so, which version of FreeBSD? And even if you are doing this on Linux, I would attempt to just use something like tcpdump to make sure TX/RX is working correctly.</div><div dir="auto"><br></div><div dir="auto"><br><br><div data-smartmail="gmail_signature" dir="auto">--<br>Michael Shirk<br>Daemon Security, Inc.<br><a href="http://www.daemon-security.com" target="_blank">http://www.daemon-security.com</a></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Jan 31, 2017 6:58 PM, "Eric Leblond" <<a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<span class=""><br>
<br>
On Tue, 2017-01-31 at 15:52 -0800, James Dickenson wrote:<br>
> Hey All,<br>
><br>
> I'm trying to test a Suricata configuration using Netmap and the<br>
> bundled Netmap tool lb to load balance for the Suricata worker<br>
> threads. However I've run into some trouble trying to figure out how<br>
> to get Suricata to bind to the netmap pipes.<br>
><br>
> Anyone have any experience with using Netmap with Suricata? Or for<br>
> that matter used the lb to do load balancing?<br>
><br>
> Thanks in advance for the assistance!<br>
><br>
> -James<br>
><br>
> I can do the following:<br>
><br>
> # lb -i ens1f1 -p foo:4<br>
><br>
> and can bind to any of the four pipes using the netmap tool pkt-gen:<br>
><br>
> # pkt-gen -i foo}0 -f rx<br>
><br>
> But if I try on Suricata:<br>
><br>
> # /usr/bin/suricata -c /etc/suricata/suricata.yaml --netmap=foo}0 <br>
> --runmode=workers <br>
<br></span>
I'm not a netmap expert at all and I've never heard about this lb<br>
tool. <br>
But my understanding of netmap is that it behaves like the other<br>
capture method. So you specify the interface to attach to and then you<br>
say in Suricata YAML configuration how much threads you want to have.<br>
<br>
So in your case:<br>
<br>
usr/bin/suricata -c /etc/suricata/suricata.yaml --netmap=ensf1<br>
<br>
and in the YAML:<br>
<br>
netmap:<br>
# To specify OS endpoint add plus sign at the end (e.g. "eth0+")<br>
- interface: ens1f1<br>
threads: 4<br>
<br>
BR,<span class="HOEnZb"><font color="#888888"><br>
--<br>
Eric Leblond <<a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a>><br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br>
</font></span></blockquote></div></div>
</blockquote></div><br></div>