Bob please see inline On Sep 21, 2012, at 8:43 PM, Bob Bomar <[email protected]> wrote:
> I’m doing some testing currently with PF_RING + DNA. And I had 2 questions > that I wanted to ask: > > 1) If we’re running the driver with 8 RSS queues, is it splitting the > traffic across those 8 queues, or only the ones that we’re listening to? > I.e, if we’ve got 8 queues and we’ve got snort running on 2 of them, are we > ignoring 75% of the traffic? Yes, as RSS distributes packets to queues according to the hash, you are ignoring 75% of the traffic. > 2) Can we, and if so how, get more than one application receiving the > same traffic? So if we have snort listening on dna0@[0-7], can we also fire > up nprobe for dna0@[0-7] and have it see the same data? This is available with standard pf_ring or with libzero for DNA (not with standard DNA). In the second case you need a custom "pfdnacluster_master" application for distributing/cloning traffic in zero-copy to nProbe and snort, and a custom DAQ-DNA compatible with libzero. Best Regards Alfredo > > > -- > Bob Bomar > Secure Information Services > terremark worldwide > Confidentiality Notice: This e-mail message, including any attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient and > received this in error, please contact the sender by reply e-mail and you are > hereby notified that the copying, use or distribution of any information or > materials transmitted in or with this message is strictly prohibited. > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
