[Oisf-users] Installing suricata + vPF_RING as a vmware guest

Tue Oct 9 08:36:40 UTC 2012

Hello,

Le mardi 09 octobre 2012 à 08:29 +0000, C. L. Martinez a écrit :
> Hi all,
> 
>  I need to monitor a virtual guest subnet configured in two ESXi 5.1
> hosts .... Virtual switches are configured to use 1Gb speed. My idea
> is to use suricata + PF_RING to catch all http, smtp, ftp, and ssh
> traffic only. But I have some doubts:
> 
> a) What nic driver is recommended in this scenario: vmxnet3 or e1000
> to use with pf_ring??

I don't think vmxnet3 as a PF_RING support. So using e1000 with the
pf_ring aware driver is the solution.

> b) What are the steps to install vPF_RING??

Forexample you can look at that document on the wiki:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1204

> c) Do I need to use libpcap provided by pf_ring or can I use default
> libraries provided by the OS (in my case, CentOS 6.3 64-bit)?

Suricata has a support for native pfring, you do not need a pf_ring
pcap.

IMHO, you should give a try at AF_PACKET capture before at it will not
required you to build anything else than Suricata. If you've got packet
loss issue, you can then try to switch to PF_RING.
But AF_PACKET can be really fast (see
https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/ for a
example).

BR,

> 
> Many thanks for your help.
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

-- 
Eric Leblond 
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121009/b0d28014/attachment.sig>