[Oisf-devel] PCAP log VLAN splitting
Peter Manev
petermanev at gmail.com
Thu May 10 05:53:57 UTC 2018
> On 10 May 2018, at 02:02, LUIS MANUEL SILVA CASTILLO <luismsilvacastillo at gmail.com> wrote:
>
> Hi,
>
> my client wishes to use Suricata as Packet Capture solution. However, there is an additional request to store packets from VLANs to their respective PCAP file. For instance VLAN 1 -> PCAP_Log_TS_TN_VLAN_1 same for VLAN 2 and so on and so forth. Solution is also to be run on high speed network and needs to be able to cope with up-to 10Gbps link. So far I have tried to use Lua script both at logging and engine but unable to achieve 10G. I can get capture and splitting but writing does not perform as required. My next step would be to try to modify Suricata code to achieve requested feature but I want to ask first if there is any previous work or someone else had done something similar so I can get started.
I would suggest testing the writing first(10gbs writing - sustained, is not so trivial - in my experience anyway). That way you would be able to confirm where the bottle neck is first - writing or anywhere in the post processing.
Are you writing per thread?
Would be interesting to see the lua script if possible.
>
> Thanks you very much in advance and look forward to your comments
>
> Manuel
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
More information about the Oisf-devel
mailing list