[Oisf-users] Possible to have DAG & PF_RING devices simultaneously?
Michał Purzyński
michalpurzynski1 at gmail.com
Tue Jun 2 10:56:52 UTC 2015
Note - I don't have any experience with DAG, I just know how it works.
Specialised capture cards like Endace and Myricom allocate a userspace
buffer, push packets to it, and Suricata or other applications can
take packets from this buffer. Packets don't cross the kernel
(bypassing it for performance reasons). So they should not be visible
to pf_ring and DAG+pf_ring will not work.
An educated guess, at best.
On Tue, Jun 2, 2015 at 1:01 AM, Jason Ish <lists at unx.ca> wrote:
> On Mon, Jun 1, 2015 at 4:04 PM, Brian Keefer <chort at effu.se> wrote:
>> Hello,
>>
>> According to https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Endace_DAG the way to enable DAG capture it to start suricata with --dag <DEVICE>. There does not appear to be a section in suricata.yaml to setup DAG devices (for example, how many threads to assign).
>>
>> So I have two questions:
>> 1. How to I tell Suricata how many threads to assign to a DAG device?
>
> Right now the best way to run Suricata with a DAG is to make use of
> the DAG's hardware load balancing. So you basically set the DAG to
> load balance to 2, 4, 8, or more streams. Then run Suricata with
> arguments like:
>
> --runmode workers --dag dag0:0 --dag dag0:2 --dag dag0:4 --dag dag0:6
>
> which will load balance 4 ways. If you need assistance configuring
> the DAG load balancing, please contact Endace support, or email me off
> list and I'll see what I can do (as this is outside the scope of
> Suricata).
>
>> 2. Is it possible to simultaneously using PF_RING and DAG devices on the same Suricata instance?
>
> I've never mixed input sources myself..
>
> Jason
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list