On 6/1/13 11:48 PM, Doug Burks wrote:
I am not a snort expert but the default is per IP balancing so it must
work, otherwise we have a bug. I suggest you to capture traffic with
an app such as pfdump that is cluster aware and see what traffic the
app received
Hi Luca,
Thanks for the quick response!
It looks like I'm seeing similar issues with Suricata and Bro, so I
don't think it's limited to Snort.
What's the recommended way to compile pfdump.c since there is no
configure and no Makefile in that directory?
Thanks,
Doug
If it helps - I'm running pf_ring 5.5.3 from a while here, from svn and
cannot observe similar issues. It's an older, version, though. Check out
the dates. So it looks like the regression has been introduced recently.
I'm running from 4 to 8 snort instances, depending on the sensor.
for i in {1..10}; do curl testmyids.com; sleep 5; done;
Fires exactly 10 events - I've tested four sensors, from 6 hosts behind
them. So the load balancing works perfectly.
config daq: pfring
config daq_dir: /opt/pfring/lib/daq
config daq_var: clusterid=52
Second sensor:
drwxr-xr-x 2 root root 4.0K Apr 24 20:26 daq
-rw-r--r-- 1 root root 394K Apr 24 20:26 libpcap.a
lrwxrwxrwx 1 root root 12 Apr 24 20:26 libpcap.so -> libpcap.so.1
lrwxrwxrwx 1 root root 16 Apr 24 20:26 libpcap.so.1 -> libpcap.so.1.1.1
-rwxr-xr-x 1 root root 383K Apr 24 20:26 libpcap.so.1.1.1
-rw-r--r-- 1 root root 230K Apr 24 20:26 libpfring.a
-rw-r--r-- 1 root root 173K Apr 24 20:26 libpfring.so
First sensor:
drwxr-xr-x 2 root root 4.0K May 22 18:25 daq
-rw-r--r-- 1 root root 394K May 22 18:20 libpcap.a
lrwxrwxrwx 1 root root 12 May 22 18:20 libpcap.so -> libpcap.so.1
lrwxrwxrwx 1 root root 16 May 22 18:20 libpcap.so.1 -> libpcap.so.1.1.1
-rwxr-xr-x 1 root root 382K May 22 18:20 libpcap.so.1.1.1
-rw-r--r-- 1 root root 234K May 22 18:19 libpfring.a
-rw-r--r-- 1 root root 173K May 22 18:19 libpfring.so
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
