[Oisf-devel] Is it possible to set pfring filter
Victor Julien
victor at inliniac.net
Thu Sep 15 14:52:43 UTC 2011
Interesting, does that mean PF_RING does the filtering then? I believe
libpcap normally sets an in-kernel filter with the bpf, right?
If PF_RING can do it through libpcap why not directly? Or am I missing
something crucial here?
Cheers,
Victor
On 09/14/2011 02:19 PM, Chris Wakelin wrote:
> If you use PF_RING-enabled libpcap then "-F" should work.
>
> You can also do clustering by setting environment variables
> PCAP_PF_RING_CLUSTER_ID=99 and PCAP_PF_RING_USE_CLUSTER_PER_FLOW=yes but
> would presumably need to run multiple instances of Suricata to benefit.
>
> Best Wishes,
> Chris
>
> On 14/09/2011 13:08, Victor Julien wrote:
>> Does PF_RING have something similar to bpf that we could support?
>>
>> On 09/14/2011 02:06 PM, Will Metcalf wrote:
>>> Currently this isn't possible.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On Wed, Sep 14, 2011 at 4:29 AM, Delta Yeh <delta.yeh at gmail.com> wrote:
>>>> Hi,
>>>> As we know, we can use -F option to set bpf filter.
>>>> Is there a way to set pfring filter ?
>>>>
>>>>
>>>> BR,
>>>> DeltaY
>>>> _______________________________________________
>>>> Oisf-devel mailing list
>>>> Oisf-devel at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>
>>
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list