[Oisf-users] AF_Packet multiple capture interfaces
coolyasha at hotmail.com
coolyasha at hotmail.com
Sun Nov 1 14:40:50 UTC 2015
I've done pfring in auto mode for two 10 gig interfaces. 40 threads total. Using 70 gig of ram to preserve streams. Almost 0 packet loss
On Sun, Nov 1, 2015 at 6:32 AM -0800, "Peter Manev" <petermanev at gmail.com> wrote:
On Wed, Oct 28, 2015 at 6:19 PM, Brian Hennigar <bhennigar at gmail.com> wrote:
> Hi,
> I'm looking for recommendations for using suricata un runmode: workers and
> AF_Packet with multiple capture interfaces. I'm not how to best configure
> the threads and cluster-id.
> I have 3 relatively low traffic span interfaces (IDS mode, alert only) and 6
> cores.
>
> Would each interface need to have it's own cluster-id? Would the best
> threads setting be auto for each interface?
You would need a diff cluster-id , yes.
If you dont have much traffic auto is fine otherwise you need to go to
manual configuration of the number of threads per interface and
budget more threads for more traffic.
>
> Thanks!
> Brian
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
--
Regards,
Peter Manev
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151101/fa06af4d/attachment-0002.html>
More information about the Oisf-users
mailing list