[Oisf-users] AF_Packet multiple capture interfaces
Peter Manev
petermanev at gmail.com
Sun Nov 1 14:32:34 UTC 2015
On Wed, Oct 28, 2015 at 6:19 PM, Brian Hennigar <bhennigar at gmail.com> wrote:
> Hi,
> I'm looking for recommendations for using suricata un runmode: workers and
> AF_Packet with multiple capture interfaces. I'm not how to best configure
> the threads and cluster-id.
> I have 3 relatively low traffic span interfaces (IDS mode, alert only) and 6
> cores.
>
> Would each interface need to have it's own cluster-id? Would the best
> threads setting be auto for each interface?
You would need a diff cluster-id , yes.
If you dont have much traffic auto is fine otherwise you need to go to
manual configuration of the number of threads per interface and
budget more threads for more traffic.
>
> Thanks!
> Brian
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list