When you say "custom", how custom is it? Is it a matter of taking the existing examples and making small tweaks, or a major coding project?
As an alternative, if you're using DNA to access packet data, are those packets rendered unavailable through other non-DNA means? So if you have one application using DNA with symmetric RSS, could you have another application that's just using standard pf_ring and seeing the same packets (albeit not as efficiently)? Thanks, -Joe On Sat, Sep 22, 2012 at 1:13 PM, Alfredo Cardigliano <[email protected]> wrote: > Bob > please see inline > > On Sep 21, 2012, at 8:43 PM, Bob Bomar <[email protected]> wrote: > > I’m doing some testing currently with PF_RING + DNA. And I had 2 questions > that I wanted to ask: > > 1) If we’re running the driver with 8 RSS queues, is it splitting the > traffic across those 8 queues, or only the ones that we’re listening to? > I.e, if we’ve got 8 queues and we’ve got snort running on 2 of them, are we > ignoring 75% of the traffic? > > > Yes, as RSS distributes packets to queues according to the hash, you are > ignoring 75% of the traffic. > > 2) Can we, and if so how, get more than one application receiving the > same traffic? So if we have snort listening on dna0@[0-7], can we also fire > up nprobe for dna0@[0-7] and have it see the same data? > > > This is available with standard pf_ring or with libzero for DNA (not with > standard DNA). In the second case you need a custom "pfdnacluster_master" > application for distributing/cloning traffic in zero-copy to nProbe and > snort, and a custom DAQ-DNA compatible with libzero. > > Best Regards > Alfredo > > > > -- > Bob Bomar > Secure Information Services > terremark worldwide > Confidentiality Notice: This e-mail message, including any attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient and > received this in error, please contact the sender by reply e-mail and you > are hereby notified that the copying, use or distribution of any information > or materials transmitted in or with this message is strictly prohibited. > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
