[Ntop-misc] PF_RING-DAQ module on two interfaces

[Maurizio Di Pietro (Esterna)]

Hi, 

I'm working with snort in passive mode. I want sniff on two interface but
aggregate traffic because on the interfaces transit asymmetric traffic.

 

So I Try to run more instances of snort on just one cluster, in this way

 

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort0  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=0 --daq-var clusterid=10,10

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort1  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=1 --daq-var clusterid=10,10

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort2  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=2 --daq-var clusterid=10,10

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort3  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=3 --daq-var clusterid=10,10

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort4  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=4 --daq-var clusterid=10,10

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort5  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=5 --daq-var clusterid=10,10

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort6  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=6 --daq-var clusterid=10,10

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort7  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=7 --daq-var clusterid=10,10

 

 

But it doesn't work well because snort receives packets  just from one
interface (I supposed by perfmonitor counter that shows just half traffic
than arrive on two interface)

 

So I tried to use two clusters, but I think that in this way the traffic
does not aggregate (perfmonitor shows higher throughput than first attempt.
The same that arrive on two interface)  

 

 

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort0  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=0 --daq-var clusterid=10,11

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort1  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=1 --daq-var clusterid=10,11

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort2  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=2 --daq-var clusterid=10,11

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort3  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=3 --daq-var clusterid=10,11

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort4  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=4 --daq-var clusterid=10,11

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort5  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=5 --daq-var clusterid=10,11

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort6  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=6 --daq-var clusterid=10,11

/usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i
eth0, eth1 -l /tmp/snort7  --daq-dir /usr/local/lib/daq --daq pfring
--daq-var bindcpu=7 --daq-var clusterid=10,11

 

 

Can you help me?

 

Thanks

 

 

 


_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc