[Oisf-users] Possible to have DAG & PF_RING devices simultaneously?
Jason Ish
lists at unx.ca
Mon Jun 1 23:01:06 UTC 2015
On Mon, Jun 1, 2015 at 4:04 PM, Brian Keefer <chort at effu.se> wrote:
> Hello,
>
> According to https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Endace_DAG the way to enable DAG capture it to start suricata with --dag <DEVICE>. There does not appear to be a section in suricata.yaml to setup DAG devices (for example, how many threads to assign).
>
> So I have two questions:
> 1. How to I tell Suricata how many threads to assign to a DAG device?
Right now the best way to run Suricata with a DAG is to make use of
the DAG's hardware load balancing. So you basically set the DAG to
load balance to 2, 4, 8, or more streams. Then run Suricata with
arguments like:
--runmode workers --dag dag0:0 --dag dag0:2 --dag dag0:4 --dag dag0:6
which will load balance 4 ways. If you need assistance configuring
the DAG load balancing, please contact Endace support, or email me off
list and I'll see what I can do (as this is outside the scope of
Suricata).
> 2. Is it possible to simultaneously using PF_RING and DAG devices on the same Suricata instance?
I've never mixed input sources myself..
Jason
More information about the Oisf-users
mailing list