[Oisf-users] AF_Packet multiple capture interfaces

Brian Hennigar bhennigar at gmail.com
Sun Nov 1 14:46:53 UTC 2015


Im running things in a vm and unfortunately pfring isn't supported on the
10gb vmxnet3 Interfaces.

Is there a recommended threads:cores ratio?
On Nov 1, 2015 10:41 AM, <coolyasha at hotmail.com> wrote:

> I've done pfring in auto mode for two 10 gig interfaces. 40 threads total.
> Using 70 gig of ram to preserve streams. Almost 0 packet *loss*
>
>
>
> On Sun, Nov 1, 2015 at 6:32 AM -0800, "Peter Manev" <petermanev at gmail.com>
> wrote:
>
> On Wed, Oct 28, 2015 at 6:19 PM, Brian Hennigar <bhennigar at gmail.com>
> wrote:
> > Hi,
> > I'm looking for recommendations for using suricata un runmode: workers
> and
> > AF_Packet with multiple capture interfaces. I'm not how to best configure
> > the threads and cluster-id.
> > I have 3 relatively low traffic span interfaces (IDS mode, alert only)
> and 6
> > cores.
> >
> > Would each interface need to have it's own cluster-id?  Would the best
> > threads setting be auto for each interface?
>
> You would need a diff cluster-id , yes.
> If you dont have much traffic auto is fine otherwise you need to go to
> manual configuration of the number of threads per interface and
> budget more threads for more traffic.
>
> >
> > Thanks!
> > Brian
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
>
>
> --
> Regards,
> Peter Manev
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151101/361ec005/attachment-0002.html>


More information about the Oisf-users mailing list