[Oisf-users] bond vs individual interface.
Victor Julien
lists at inliniac.net
Fri Feb 9 16:33:30 UTC 2018
On 09-02-18 16:33, Charles Devoe wrote:
> When we use taps the data comes in on 2 separate interfaces (i.e. em1
> and em2). I am curious about the pros and cons of using a bonded
> interface vs setting up suricata to use the individual interfaces.
>
> Specifically, I can set up af-packet to use em1, em2 or I can set it up
> to use bond0.
I have no experience with bonds, so hard to advice on this.
Something to keep in mind is that if the 2 sides of a flow come on
different interfaces Suricata will not try to order the packets.
Timing issues in hardware, OS and Suricata itself will make packet order
non-deterministic. So you might see a SYN/ACK before a SYN, leading to
stream tracking, reassembly and detection issues.
Generally this is where hardware solutions that do packet reordering
(e.g. Napatech does this iirc) come in.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list