[Oisf-users] AF_Packet multiple capture interfaces
Matt Jonkman
jonkman at jonkmans.com
Thu Oct 29 10:35:04 UTC 2015
Ya, definitely a different cluster id for each interface.
I’ve never tried auto for multiple nic’s, I imagine someone else can comment there. I generally split my # of available cores across the interfaces for threads per, by my expected load distribution on each nic. Sometimes oversubscribing if they’re not massive throughput cores (i.e giving out 12 threads among 3 interfaces in your 6 core box example). I have no scientific basis here, just figure if any nic gets a massive spike it would be able to use all available resources faster.
I hope to be correted in the above theories though. Just putting my theory into words makes me feel there’s probably a better answer. :) I’ve never done this on a massive throughput box. Generally the big ones (10gig+) are single interface affairs.
Matt
> On Oct 28, 2015, at 6:19 PM, Brian Hennigar <bhennigar at gmail.com> wrote:
>
> Hi,
> I'm looking for recommendations for using suricata un runmode: workers and AF_Packet with multiple capture interfaces. I'm not how to best configure the threads and cluster-id.
> I have 3 relatively low traffic span interfaces (IDS mode, alert only) and 6 cores.
>
> Would each interface need to have it's own cluster-id? Would the best threads setting be auto for each interface?
>
> Thanks!
> Brian
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
More information about the Oisf-users
mailing list