[Oisf-users] using af-packet for capturing traffic from multiple interfaces
Risto Vaarandi
Risto.Vaarandi at seb.ee
Tue Nov 7 19:30:41 UTC 2017
Hi all,
I need to run Suricata for capturing traffic from two interfaces with af-packet. Configuring af-packet would be straightforward, but there is one issue - for any TCP connection, some packets might appear on one interface, while rest of the packets are available on the other interface. I can see two issues here. First, it is not possible to configure the same value for the 'cluster-id' parameter for two different interfaces, and the packets for the same connection are not received by the same thread in 'workers' runmode. Second, I suspect that the order of getting the packets from two distinct interfaces is not determined, and for Suricata they might appear in a different order than originally in the network.
Nevertheless, are there some recommended ways for configuring af-packet for such two-interface scenario? For instance, can 'async-oneside' option be used here for improving the detection capability? I would be grateful for all recommendations.
Kind regards,
risto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171107/0b73de6c/attachment.html>
More information about the Oisf-users
mailing list