[Oisf-users] af_packet vs pfring
Cooper F. Nelson
cnelson at ucsd.edu
Sun Jul 28 00:23:05 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AF_PACKET + mmap mode is pretty much the same thing as pf_ring.
I thought pf_ring was proprietary or licensed in some way, but I may be
wrong about that.
In my setup, it appears AF_PACKET mode will truncate packets unless all
offloading features of the NIC are disabled.
See this blog post for more details: >
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
I use AF_PACKET for suricata and libpcap for everything else on the same
box, no problems yet.
- -Coop
On 7/27/2013 5:15 PM, Russell Fulton wrote:
> Hi
>
> The next decision I need to make is whether to use pf_ring or
> af_packet. From what I can garner with google if you are just
> running suri on the sensor af_packet is flavour of the month.
> However I have found references that suggest that if one wants to run
> other packages like argus and bro along side then pf_ring is
> preferred.
>
> Can anyone point me to a document that spells out the pros and cons
> of the two?
>
> Thanks, Russell _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org Site: http://suricata-ids.org |
> Support: http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJR9GRpAAoJEKIFRYQsa8FW+vwH/jSSzj6APni/t23QfBJ8whWc
jq/TzeJTYevuWeBIDtFf90qCvCWL0xkTB4UjnGMLejKjb2/SZJNU9yc8o3+IM7CA
MpQ8/rHKHUFjY18KQ3hlrcrM6dLhIVLNGiikBa7JDq35uG5VADqdVC36ptEUun/W
mRkBXpP+cd76KDEDzvV+VP7VS74rlISIB0v+yD8/qyJaAHHJrRg89g0TGhSHZ12H
cHbEvtA9bT10SZ5yTWCyi5PTum/FZm14pKK98/FVXq7ZJg5TkRATSYY/oTUTjjnW
x3/4+ABlPq6JIiPL0W7c5u2LZ5nb/9LDEVE/0hShoN1u4alJEUJ5DKPtnwLhX+Q=
=4fOT
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list