[Oisf-devel] Is it possible to set pfring filter

Luca Deri deri at ntop.org
Thu Sep 15 15:20:06 UTC 2011 

Will
I leverage the pcap implementation, thus if you use libpcap-over-pf_ring you have BPF. This because I didn't want to merge into PF_RING the BPF code that should belong to pcap.

This said having native BPF support on libpfring seems to be desirable (at least according to your needs). Is this something I should put on my todo list?

Luca

On Sep 15, 2011, at 5:11 PM, Will Metcalf wrote:

> libpcap has it's own implementation of BPF as does DAQ.  AFAIK PF_RING
> leverages these existing implementations.  Luca is this correct?
> 
> Regards,
> 
> Will
> 
> On Thu, Sep 15, 2011 at 9:52 AM, Victor Julien <victor at inliniac.net> wrote:
>> Interesting, does that mean PF_RING does the filtering then? I believe
>> libpcap normally sets an in-kernel filter with the bpf, right?
>> 
>> If PF_RING can do it through libpcap why not directly? Or am I missing
>> something crucial here?
>> 
>> Cheers,
>> Victor
>> 
>> On 09/14/2011 02:19 PM, Chris Wakelin wrote:
>>> If you use PF_RING-enabled libpcap then "-F" should work.
>>> 
>>> You can also do clustering by setting environment variables
>>> PCAP_PF_RING_CLUSTER_ID=99 and PCAP_PF_RING_USE_CLUSTER_PER_FLOW=yes but
>>> would presumably need to run multiple instances of Suricata to benefit.
>>> 
>>> Best Wishes,
>>> Chris
>>> 
>>> On 14/09/2011 13:08, Victor Julien wrote:
>>>> Does PF_RING have something similar to bpf that we could support?
>>>> 
>>>> On 09/14/2011 02:06 PM, Will Metcalf wrote:
>>>>> Currently this isn't possible.
>>>>> 
>>>>> Regards,
>>>>> 
>>>>> Will
>>>>> 
>>>>> On Wed, Sep 14, 2011 at 4:29 AM, Delta Yeh <delta.yeh at gmail.com> wrote:
>>>>>> Hi,
>>>>>>  As we know, we can use -F option to set bpf filter.
>>>>>> Is there a way to set pfring filter ?
>>>>>> 
>>>>>> 
>>>>>> BR,
>>>>>> DeltaY
>>>>>> _______________________________________________
>>>>>> Oisf-devel mailing list
>>>>>> Oisf-devel at openinfosecfoundation.org
>>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>>> 
>>>>> _______________________________________________
>>>>> Oisf-devel mailing list
>>>>> Oisf-devel at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>> 
>>>> 
>>>> 
>>> 
>>> 
>> 
>> 
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>> 
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>

More information about the Oisf-devel mailing list