On 28/05/12 18:23, Alfredo Cardigliano wrote: > Chris > you do not need to modify Suricata (but please note that pfring_set_cluster() > is for vanilla PF_RING only). > "-n 6" means 6 consumers, they can be both threads or applications (if they > are threads some optimizations are used, but the behavior is exactly the > same). > You can decide whether to deliver a portion of the traffic or all the traffic > to the application/thread by setting the distribution function (the default > one balances packets according to a bidirectional IP-based hash, see > pfdnacluster_master.c for other examples).
So in the default config, I'd need "-n 6" and each Suricata thread should see 1/6th of the traffic? Would I need to tell each thread to talk to dnacluster:99@0, dnacluster:99@1 etc.? I was hoping to have multiple multi-threaded applications, with Suricata being one of them, with each application seeing all the packets. Would I then need say "-n 12" and change the function to deliver the same packets to say, 0 and 6, 1 and 7, 2 and 8 etc? Best Wishes, Chris > > Best Regards > Alfredo > > On May 28, 2012, at 7:12 PM, Chris Wakelin wrote: > >> I've been looking at the new libzero stuff, but haven't managed to get >> it running with Suricata and multiple threads. I'm a bit confused about >> how it's supposed to work. >> >> I start the cluster master with: >> >> pfdnacluster_master -i dna0 -c 99 -r 7 >> >> Then I start Suricata with "--pfring-int = dnacluster:99" (or equivalent >> in suricata.yaml config file). >> >> In multiple threads mode, Suricata will try to set the cluster ID with >> pfring_set_cluster, which fails. So I hacked to it to ignore the failure. >> >> With a single thread it works. However with two or more threads it fails >> on the second call of pfring_open(). >> >> Presumably I don't need to specify "-n 6" on the cluster master - that >> would mean six independent applications each getting all the packets, >> rather than a single, multithreaded one with each thread getting a >> proportion of the packets, right? >> >> I also tried giving Suricata six different interfaces, dnacluster:99@1, >> dnacluster:99@2, etc. with one thread each, but that didn't work either. >> >> Do I need to modify Suricata to use libzero (might be beyond me)? >> >> Best Wishes, >> Chris >> >> -- >> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- >> Christopher Wakelin, [email protected] >> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908 >> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094 >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, [email protected] IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908 Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094 _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
