[Oisf-users] Possible to have DAG & PF_RING devices simultaneously?
Brian Keefer
chort at effu.se
Fri Jun 12 22:17:16 UTC 2015
On Jun 1, 2015, at 4:01 PM, Jason Ish <lists at unx.ca> wrote:
> On Mon, Jun 1, 2015 at 4:04 PM, Brian Keefer <chort at effu.se> wrote:
>> Hello,
>>
>> According to https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Endace_DAG the way to enable DAG capture it to start suricata with --dag <DEVICE>. There does not appear to be a section in suricata.yaml to setup DAG devices (for example, how many threads to assign).
>>
>> So I have two questions:
>> 1. How to I tell Suricata how many threads to assign to a DAG device?
>
> Right now the best way to run Suricata with a DAG is to make use of
> the DAG's hardware load balancing. So you basically set the DAG to
> load balance to 2, 4, 8, or more streams. Then run Suricata with
> arguments like:
>
> --runmode workers --dag dag0:0 --dag dag0:2 --dag dag0:4 --dag dag0:6
>
> which will load balance 4 ways. If you need assistance configuring
> the DAG load balancing, please contact Endace support, or email me off
> list and I'll see what I can do (as this is outside the scope of
> Suricata).
>
>> 2. Is it possible to simultaneously using PF_RING and DAG devices on the same Suricata instance?
>
> I've never mixed input sources myself..
>
> Jason
Hello Jason,
The config you suggested worked fine, after the stream load balancing was setup.
--
bk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150612/b12ff0e5/attachment.sig>
More information about the Oisf-users
mailing list