[Oisf-devel] Is it possible to set pfring filter
Will Metcalf
william.metcalf at gmail.com
Thu Sep 15 15:11:46 UTC 2011
libpcap has it's own implementation of BPF as does DAQ. AFAIK PF_RING
leverages these existing implementations. Luca is this correct?
Regards,
Will
On Thu, Sep 15, 2011 at 9:52 AM, Victor Julien <victor at inliniac.net> wrote:
> Interesting, does that mean PF_RING does the filtering then? I believe
> libpcap normally sets an in-kernel filter with the bpf, right?
>
> If PF_RING can do it through libpcap why not directly? Or am I missing
> something crucial here?
>
> Cheers,
> Victor
>
> On 09/14/2011 02:19 PM, Chris Wakelin wrote:
>> If you use PF_RING-enabled libpcap then "-F" should work.
>>
>> You can also do clustering by setting environment variables
>> PCAP_PF_RING_CLUSTER_ID=99 and PCAP_PF_RING_USE_CLUSTER_PER_FLOW=yes but
>> would presumably need to run multiple instances of Suricata to benefit.
>>
>> Best Wishes,
>> Chris
>>
>> On 14/09/2011 13:08, Victor Julien wrote:
>>> Does PF_RING have something similar to bpf that we could support?
>>>
>>> On 09/14/2011 02:06 PM, Will Metcalf wrote:
>>>> Currently this isn't possible.
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> On Wed, Sep 14, 2011 at 4:29 AM, Delta Yeh <delta.yeh at gmail.com> wrote:
>>>>> Hi,
>>>>> As we know, we can use -F option to set bpf filter.
>>>>> Is there a way to set pfring filter ?
>>>>>
>>>>>
>>>>> BR,
>>>>> DeltaY
>>>>> _______________________________________________
>>>>> Oisf-devel mailing list
>>>>> Oisf-devel at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>>
>>>> _______________________________________________
>>>> Oisf-devel mailing list
>>>> Oisf-devel at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>
>>>
>>>
>>
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
More information about the Oisf-devel
mailing list