[Oisf-users] Suricata with PF_RING on latest git

Doug Burks doug.burks at gmail.com
Fri Jul 6 11:18:23 UTC 2012

I'm currently working on rebuilding my Security Onion distro on Ubuntu
12.04 64-bit and am looking at pfring vs afpacket, so this is a very
interesting discussion.  I like the simplicity of Suricata's afpacket
fanout support, but since we also run Bro, we'd have to do pfring
anyway.  And since we have non-pfring applications (like daemonlogger)
and have to support as many NICs as possible, we'd be using pfring
transparent_mode 0.  So given all that, should we go with pfring for
Suricata, or is there some advantage to using afpacket in this


On Fri, Jul 6, 2012 at 4:21 AM, Victor Julien <victor at inliniac.net> wrote:
> On 07/06/2012 10:17 AM, Anoop Saldanha wrote:
>>>> And I can verify, if you run pfring, it wont die if you dont send
>>>> >> packets.
>>> >
>>> > Yeah, no packets, no shutdown. Blame pfring :)
>>> >
>> Maybe wait for 'x' seconds an if it hasn't shutdown as yet, inject a
>> packet to trigger shutdown.
> That would be injecting on the wire, and then even account for the
> number of reader threads and the various cluster options. Way too
> complicated IMO.
> I think Luca was working on a timeout feature at some point, not sure
> what the status is.
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Doug Burks

More information about the Oisf-users mailing list