[Oisf-users] best method to monitor two NIC's on same box
Keith Miller
orekdm at gmail.com
Fri Jun 24 23:19:13 UTC 2011
Thank you. I was hoping that it was something that simple. I think that
did the trick.
On Fri, Jun 24, 2011 at 16:13, Will Metcalf <william.metcalf at gmail.com>wrote:
> if you are just using pcap mode just specify -i twice
>
> suricata -i eth0 -i eth1 -l ./ -c suricata.yaml
>
> [6041] 24/6/2011 -- 18:09:17 - (source-pcap.c:389) <Info>
> (ReceivePcapThreadInit) -- using interface eth1
> [6040] 24/6/2011 -- 18:09:17 - (source-pcap.c:389) <Info>
> (ReceivePcapThreadInit) -- using interface eth0
>
> On Fri, Jun 24, 2011 at 5:53 PM, Keith Miller <orekdm at gmail.com> wrote:
>
>> Greetings programs!
>>
>> I'm new to suricata, but a longtime veteran of NSM. Due to some recent
>> excitement at work I got suricata working as a standalone and then as part
>> of the smoothsec distro. I'm happily processing away on 8 cores at
>> low-medium utilization. I just discovered that we have to pull another
>> SPAN (traffic can't be added to the first) for monitoring. What is the
>> best methodology to support this in suricata. I poked around, but no docs
>> or postings seem to discuss this issue. Can I add a second NIC to the
>> single instance? Do I need to have two installations side by side? Or
>> just a second suricata.yaml and set of startup scripts?
>>
>> Forgive me if I've missed something obvious, please help!
>>
>> Keith Miller
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110624/dded1597/attachment-0002.html>
More information about the Oisf-users
mailing list