[Oisf-users] Suricata seperate Rx/Tx connection

Amar amar at countersnipe.com
Sat Nov 2 13:42:32 UTC 2019 

      
  

  
  
   -i   <interface>
  
  

  After the -i option you can enter the interface card you would like to use to sniff packets from.  This option will try to use the best capture method available.

  
  
  
  

  
  
As per   https://suricata.readthedocs.io/en/suricata-4.1.3/command-line-options.html
  
  
>   
> On Nov 2, 2019 at 2:32 AM,  <Cooper Nelson (mailto:cnelson at ucsd.edu)>  wrote:
>   
>   
>         
>   
>
>  What packet capture method are you using?
>
>   
>
>     
>
>   
>
>  -Coop
>
>   
>
>     
>
>   
>   
>   
>
> From:   Amar  <amar at countersnipe.com>
>   Sent:  Friday, November 1, 2019 1:58 PM
>   To:  Nelson, Cooper  <cnelson at ucsd.edu>
>   Cc:  mohammad kashif  <kashif.alig at gmail.com>; Oisf-Users  <oisf-users at lists.openinfosecfoundation.org>
>   Subject:  Re: [Oisf-users] Suricata seperate Rx/Tx connection
>
>   
>   
>   
>
>   
>
>   
>   
>
> CounterSnipe default setup bonds all interfaces into a single bond#(0) and starts Suri with -i bond0 and it works fine.     
>
>   
>   
>   
>   
>
>
>   
>
>
>   
> >   
> >   
> >
> > On Nov 1, 2019 at 10:49 PM,  <Cooper Nelson (mailto:cnelson at ucsd.edu)>  wrote:
> >
> >   
> >   
> >   
> >
> >  That would work with pcap, not sure how AF_PACKET handles bonded interfaces.
> >
> >   
> >
> >     
> >
> >   
> >
> >  We use an Arista with two 10Gbit interfaces and pevma’s config.
> >
> >   
> >
> >     
> >
> >   
> >
> >  -Coop
> >
> >   
> >
> >     
> >
> >   
> >   
> >   
> >
> > From:   Amar  <amar at countersnipe.com (mailto:amar at countersnipe.com)>
> >   Sent:  Friday, November 1, 2019 8:19 AM
> >   To:  mohammad kashif  <kashif.alig at gmail.com (mailto:kashif.alig at gmail.com)>
> >   Cc:  Nelson, Cooper  <cnelson at ucsd.edu (mailto:cnelson at ucsd.edu)>; Oisf-Users  <oisf-users at lists.openinfosecfoundation.org (mailto:oisf-users at lists.openinfosecfoundation.org)>
> >   Subject:  Re: [Oisf-users] Suricata seperate Rx/Tx connection
> >
> >   
> >   
> >   
> >
> >   
> >
> >   
> >   
> >
> > Could bonding be the solution here. Bond eth1 and 2 and simply monitor the bond.   
> >
> >   
> >   
> >   
> >
> >   
> >
> >   
> >   
> >   
> >   
> >
> > On Nov 1, 2019 at 4:08 PM,  <mohammad kashif (mailto:kashif.alig at gmail.com)>  wrote:
> >   
> >   
> >
> >
> >   
> > >   
> > >   
> > >
> > >   
> > >
> > >   
> > >   
> >   
> >   
> >   
> >   
>   
>   
>   
>   
>   
  
  
     
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191102/f372d9cd/attachment.html>

More information about the Oisf-users mailing list