[Oisf-users] Question about using suricata 1.1rc1 with nfq

Wed Nov 9 10:51:08 UTC 2011

I think you're mixing a few things up:

log-pcap: log packets to disk in pcap format, works for all methods of
acquiring packets.
pcap: settings for getting packets from the wire, passively. Not related
to nfq or inline modes in general.

For using nfq you can either use multiple queues by pass -q 0 -q 1, etc
to suricata, or you can configure your iptables to send all the traffic
to a single queue.

Cheers,
Victor

On 11/09/2011 11:45 AM, carlopmart wrote:
> On 11/09/2011 11:23 AM, Eric Leblond wrote:
> 
>>>
>>>    pcap:
>>>     - interface: eth1
>>>
>>>    What does it means this option??
>>
>> This option/configuration part is for the pcap acquisition module. You
>> can now specify multiple interfaces with different configuration for
>> pcap, pfring and af_packet acquisition module. Have a look at the
>> following blog post for more information:
>> http://home.regit.org/2011/10/suricata-new-feature/
> 
> If I use bridges too?? That's where I see the problem. I am using three 
> bridges: br0, br1, br2. Do I need to specify bridges or every phyisical 
> nic??
> 
>>
>>> Is not possible to record all traffic
>>> that suricata sees over multiple NFQUEUEs??
>>
>> Yes, you can do this by using multiple -q switches on the command line:
>> 	suricata -c suricata.yaml -q 0 -q 1
> 
> This is how I configured, with multiple nfqueues.
> 
>>
>>> Is it possible to define
>>> multiple interfaces in this option??
>>
>> Yes for pcap.
>>
> 
> How? Like this??
> 
> pcap:
>    - interface: br0, br1, br2
> 
> 

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------