[Oisf-users] NETMAP guide - suricata.yaml

Oliver Humpage oliver at watershed.co.uk
Thu Apr 7 13:59:43 UTC 2016


> Do suricata really *have* to send the packet after processing?
> Wouldn't it save some cpu cycles if suricata could be configured *not* to send the packet further, when running in IDS mode?

Then no packets would ever get through your firewall.

Netmap *moves* the packet straight from the NIC into userland memory, and gives it to a userland process such as suricata. If suricata doesn’t do something with that packet, then it disappears.

In theory netmap is very efficient, so passing on the packet should take almost no effort at all.

In other modes, you’re right: IDS takes a *copy* of the packet to inspect. But that’s not how netmap works. If you just want to look at copies, use pcap.

Oliver.




More information about the Oisf-users mailing list