[Oisf-users] best method to monitor two NIC's on same box
Will Metcalf
william.metcalf at gmail.com
Fri Jun 24 23:13:00 UTC 2011
if you are just using pcap mode just specify -i twice
suricata -i eth0 -i eth1 -l ./ -c suricata.yaml
[6041] 24/6/2011 -- 18:09:17 - (source-pcap.c:389) <Info>
(ReceivePcapThreadInit) -- using interface eth1
[6040] 24/6/2011 -- 18:09:17 - (source-pcap.c:389) <Info>
(ReceivePcapThreadInit) -- using interface eth0
On Fri, Jun 24, 2011 at 5:53 PM, Keith Miller <orekdm at gmail.com> wrote:
> Greetings programs!
>
> I'm new to suricata, but a longtime veteran of NSM. Due to some recent
> excitement at work I got suricata working as a standalone and then as part
> of the smoothsec distro. I'm happily processing away on 8 cores at
> low-medium utilization. I just discovered that we have to pull another
> SPAN (traffic can't be added to the first) for monitoring. What is the
> best methodology to support this in suricata. I poked around, but no docs
> or postings seem to discuss this issue. Can I add a second NIC to the
> single instance? Do I need to have two installations side by side? Or
> just a second suricata.yaml and set of startup scripts?
>
> Forgive me if I've missed something obvious, please help!
>
> Keith Miller
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110624/3f54d8a6/attachment-0002.html>
More information about the Oisf-users
mailing list