Why do you use a cluster? On 03/06/2014 08:10 AM, Norbert Furlani wrote: > Hi, > > I've downloaded and compiled the latest svn PF_RING and snort (2.9.6.0). > > pf_ring kernel module loaded (ransparent_mode=0 min_num_slots=32768 > enable_tx_capture=0) > > $ cat /proc/net/pf_ring/info > PF_RING Version : 5.6.3 ($Revision: exported$) > Total rings : 2 > > Standard (non DNA) Options > Ring slots : 32768 > Slot version : 15 > Capture TX : No [RX only] > IP Defragment : No > Socket Mode : Standard > Transparent mode : Yes [mode 0] > Total plugins : 0 > Cluster Fragment Queue : 0 > Cluster Fragment Discard : 0 > > > and snort executed as follows (no rules):- > > # /usr/local/bin/snort -A console --daq-dir=/usr/local/lib/daq --daq > pfring --daq-var fast-tx=1 --daq-var clusterid=10,11 --daq-var > bindcpu=3 -i eth8:eth9 -Q > > I have one host connected on eth8 and one on eth9. When I ping one > host from the other, I see the packet header in the console and the > ICMP replies are received, however the RTTs are over 1000ms. ssh or > ftp across the link is unusable. > > By comparison, if I use afpacket daq, performance is excellent. > > On a side note, if I invoke another instance of snort using pf_ring, I > do not see a load balance of packets either. > > Anyone have similar problems? I'm thinking of trying ubuntu 13.10 to > see if it makes any difference. > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
