Hi Maurizio the first configuration is fine, the problem is that you have a space between the interface names (-i eth0, eth1 should be -i eth0,eth1)
Alfredo On 26 Sep 2014, at 15:42, Maurizio Di Pietro (Esterna) <[email protected]> wrote: > Hi, > I’m working with snort in passive mode. I want sniff on two interface but > aggregate traffic because on the interfaces transit asymmetric traffic. > > So I Try to run more instances of snort on just one cluster, in this way > > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort0 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=0 --daq-var clusterid=10,10 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort1 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=1 --daq-var clusterid=10,10 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort2 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=2 --daq-var clusterid=10,10 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort3 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=3 --daq-var clusterid=10,10 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort4 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=4 --daq-var clusterid=10,10 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort5 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=5 --daq-var clusterid=10,10 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort6 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=6 --daq-var clusterid=10,10 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort7 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=7 --daq-var clusterid=10,10 > > > But it doesn’t work well because snort receives packets just from one > interface (I supposed by perfmonitor counter that shows just half traffic > than arrive on two interface) > > So I tried to use two clusters, but I think that in this way the traffic does > not aggregate (perfmonitor shows higher throughput than first attempt. The > same that arrive on two interface) > > > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort0 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=0 --daq-var clusterid=10,11 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort1 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=1 --daq-var clusterid=10,11 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort2 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=2 --daq-var clusterid=10,11 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort3 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=3 --daq-var clusterid=10,11 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort4 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=4 --daq-var clusterid=10,11 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort5 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=5 --daq-var clusterid=10,11 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort6 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=6 --daq-var clusterid=10,11 > /usr/local/bin/snort -q -c /etc/snort/snort.conf --pid-path=/tmp/snort0 -i > eth0, eth1 -l /tmp/snort7 --daq-dir /usr/local/lib/daq --daq pfring > --daq-var bindcpu=7 --daq-var clusterid=10,11 > > > Can you help me? > > Thanks > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
