[Oisf-devel] Is it possible to set pfring filter
Luca Deri
deri at ntop.org
Thu Sep 15 15:20:06 UTC 2011
Will
I leverage the pcap implementation, thus if you use libpcap-over-pf_ring you have BPF. This because I didn't want to merge into PF_RING the BPF code that should belong to pcap.
This said having native BPF support on libpfring seems to be desirable (at least according to your needs). Is this something I should put on my todo list?
Luca
On Sep 15, 2011, at 5:11 PM, Will Metcalf wrote:
> libpcap has it's own implementation of BPF as does DAQ. AFAIK PF_RING
> leverages these existing implementations. Luca is this correct?
>
> Regards,
>
> Will
>
> On Thu, Sep 15, 2011 at 9:52 AM, Victor Julien <victor at inliniac.net> wrote:
>> Interesting, does that mean PF_RING does the filtering then? I believe
>> libpcap normally sets an in-kernel filter with the bpf, right?
>>
>> If PF_RING can do it through libpcap why not directly? Or am I missing
>> something crucial here?
>>
>> Cheers,
>> Victor
>>
>> On 09/14/2011 02:19 PM, Chris Wakelin wrote:
>>> If you use PF_RING-enabled libpcap then "-F" should work.
>>>
>>> You can also do clustering by setting environment variables
>>> PCAP_PF_RING_CLUSTER_ID=99 and PCAP_PF_RING_USE_CLUSTER_PER_FLOW=yes but
>>> would presumably need to run multiple instances of Suricata to benefit.
>>>
>>> Best Wishes,
>>> Chris
>>>
>>> On 14/09/2011 13:08, Victor Julien wrote:
>>>> Does PF_RING have something similar to bpf that we could support?
>>>>
>>>> On 09/14/2011 02:06 PM, Will Metcalf wrote:
>>>>> Currently this isn't possible.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Will
>>>>>
>>>>> On Wed, Sep 14, 2011 at 4:29 AM, Delta Yeh <delta.yeh at gmail.com> wrote:
>>>>>> Hi,
>>>>>> As we know, we can use -F option to set bpf filter.
>>>>>> Is there a way to set pfring filter ?
>>>>>>
>>>>>>
>>>>>> BR,
>>>>>> DeltaY
>>>>>> _______________________________________________
>>>>>> Oisf-devel mailing list
>>>>>> Oisf-devel at openinfosecfoundation.org
>>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>>>
>>>>> _______________________________________________
>>>>> Oisf-devel mailing list
>>>>> Oisf-devel at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
More information about the Oisf-devel
mailing list