Please make sure your traffic is well balanced (i.e. that you are not using test traffic with a single flow), by default a 2-tuple hashing is used, you can change this setting using the clustermode parameter as reported in PF_RING/userland/snort/pfring-daq-module/README.1st
--daq-var clustermode=<mode> Best Regards Alfredo On Mar 2, 2013, at 12:30 AM, J of Core <[email protected]> wrote: > Thanks for the reply, Jesse. I tried running multiples w/diff pid files, log > files, etc, but when I watch the counters I still only see one instance > increasing. > > I also did s'more searching online and found this on the metaflows google > group: > https://groups.google.com/forum/?fromgroups=#!topic/metaflows/Tjagd3MPr70 > > According to that post, I should be able to "run the command twice with the > same exact arguments and they will slip the traffic. The pfring kernel module > will automatically detect how many processes are running and split the > traffic accordingly" -- but that isn't working for me either. That post is > from 2011 so I'm not sure if things have changed since then or not. > > So not sure what I'm missing to make it distribute the traffic between > processes/instances. I'll keep investigating / testing :) > > thx > > > On Fri, Mar 1, 2013 at 12:46 PM, Jesse Bowling <[email protected]> wrote: > Hi Kevin, > > This is what I get for reading in reverse order. :) > > You are correct in what you wrote: you do have it up and running it would > seem. To run more instances, you need to start multiple instances of snort > and make sure that you pass them the same clusterid. > > The only tricky part is making sure that each snort instance has it's own PID > file, config file, logging directory, etc; that's usually the hardest part of > getting multiple snort instances up. :) > > There are a few strategies for managing the snort instance configs, but the > one I've seen described that I liked the most was to create a vanilla config > that expresses the things you want for every instance, and then create > individual configs for each instance specifying only the things that are > different and including the vanilla one. For instance: > > snort.master.conf: > > config interface: eth0 > include /rules/SOme_rule_file > etc > > and then: > > inst1.conf: > > config logdir: /nsm/snort/inst1 > include snort.master.conf > > That makes it a little easier to maintain your conf files... > > GL, > > Jesse > > On Fri, Mar 1, 2013 at 2:46 PM, Kevin Hanser <[email protected]> wrote: > So I appear to have pf_ring installed (via the RPMs) and snort working with > it. If I start up a snort instance using a command line similar to the > metaflows article (except I'm doing passive instead of inline for the time > being): > > snort -c /etc/snort/snort.conf -y -i eth0 --daq-dir /usr/local/lib/daq --daq > pfring --daq-var clusterid=10 --daq-mode passive > > I get a status counter "device" created in /proc/net/pf_ring named > <pid>-eth0.1. If I watch this file with cat while sending some traffic to > the machine, I see the counters increasing, and snort is logging the > information. So based on this, it seems that snort is working with pf_ring, > which was my "first step" so that's pretty cool. > > Now I'm trying to figure out how I distribute the load across multiple snort > / pf_ring instances. I started up multiple instances of snort, but when I > watch the counters it seems that only the one I started last is getting all > the traffic. I'm probably missing something in how I start it up, but I'm > unsure what. > > What do I need to tell pf_ring / snort so that they distribute the load > across the multiple rings / snorts? Is that what the clusterid=10 means? Is > that telling each pf_ring that it's part of the same cluster? I'm still > working on understanding how all this works together so if anyone has any > thoughts / suggestions that would be great! I'll keep researching and > reading and testing on my own as well, > > thx! > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > > -- > Jesse Bowling > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
