[Oisf-users] Installing suricata + vPF_RING as a vmware guest
C. L. Martinez
carlopmart at gmail.com
Wed Oct 10 08:28:53 UTC 2012
On Tue, Oct 9, 2012 at 8:36 AM, Eric Leblond <eric at regit.org> wrote:
> Hello,
>
> Le mardi 09 octobre 2012 à 08:29 +0000, C. L. Martinez a écrit :
>> Hi all,
>>
>> I need to monitor a virtual guest subnet configured in two ESXi 5.1
>> hosts .... Virtual switches are configured to use 1Gb speed. My idea
>> is to use suricata + PF_RING to catch all http, smtp, ftp, and ssh
>> traffic only. But I have some doubts:
>>
>> a) What nic driver is recommended in this scenario: vmxnet3 or e1000
>> to use with pf_ring??
>
> I don't think vmxnet3 as a PF_RING support. So using e1000 with the
> pf_ring aware driver is the solution.
>
>> b) What are the steps to install vPF_RING??
>
> Forexample you can look at that document on the wiki:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1204
>
>> c) Do I need to use libpcap provided by pf_ring or can I use default
>> libraries provided by the OS (in my case, CentOS 6.3 64-bit)?
>
> Suricata has a support for native pfring, you do not need a pf_ring
> pcap.
>
> IMHO, you should give a try at AF_PACKET capture before at it will not
> required you to build anything else than Suricata. If you've got packet
> loss issue, you can then try to switch to PF_RING.
> But AF_PACKET can be really fast (see
> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/ for a
> example).
>
> BR,
>
>>
Many thanks Eric for your help ... I will try with e1000 driver ...
More information about the Oisf-users
mailing list