[Oisf-users] af_packet vs pfring

Peter Manev petermanev at gmail.com
Mon Jul 29 13:04:07 UTC 2013 

On 29 jul 2013, at 09:18, Peter Bates <peter.bates at ucl.ac.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hello all
> 
> On 28/07/2013 12:22, Chris Wakelin wrote:
>> We're using PF_RING + DNA + libzero and running Suricata + Bro + Argus.
>> I had a look at AF_PACKET a few months ago, but couldn't get it to work
>> without dropping packets. I also was under the impression it wouldn't
>> allow multiple applications to see the traffic, but from what Cooper
>> just said, it seems I was wrong!
> 
> With new versions of Suricata popping up I'm contemplating revisiting
> the software - last time I checked with AF_PACKET I saw packet loss
> but testing Suricata with PF_RING last week I saw packet loss as well.

That is a loaded question. There are numerous dependencies - what type of traffic is predominant  , what type of HW, how much traffic , how much HW resources are available , how many rules, which rule set (VRT/ET/ETPro) ....

> 
> I'm using PF_RING to run multiple instances of Snort (and some other 
> applications) and it would be nice to unify everything together and make
> the big switch.

You should consolidate I agree.
Before that you should do some testing as to determine if afpacket or pfring works best for you / your HW.

> 
> What version of Suricata are people mostly running - 1.4.x production,
> the version from Git, etc.? 
> 
> - -- 
> Peter Bates
> Senior Information Security Officer   Phone: +44(0)2076792049
> Information Services Division          Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQEcBAEBAgAGBQJR9iVVAAoJELhVoVpEMS6R+f0H/0Nc0j94B3Md2ub7ghn06jSK
> 5QdQA4wdCpbzhQPsptML9tF5tFNEF9m05Y2XLygOsbneoOcKyezSIkHpRNxckL4N
> nzBlo3ZFFoaRZr0Sb05zNaykoZypUjlkoav278vyOHWlupYmoT6Xrsz+tK53wpJT
> CD7e2mZ6hS0cOdSUtXii9vCazDZciYM2g536PykG7CQ0MLh8V5EOOmNmCi7gOTXk
> qCAO2mX82ytQP/xDxfn/wJ+CH8QQ+FYbNKRB+0javq+OqZ+KD4/btgHT0gKKfMpm
> hK/RoSKzoHpUVc9M7jdzAL9/Pr0mHyoM9RRSPSKaJNOthTDQrnXxbHtzsULy0FQ=
> =zcPy
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list