Ok, so I want to be able to run 12 snorts but still capture
all the traffic with tcpdump. Should I be doing this?
./zbalance_ipc -i zc:enp4s0 -m 1 -n 12,1 -c 44 -g 0:11
?
I get this output:
Application 0
pfcount -i zc:44@0
pfcount -i zc:44@1
pfcount -i zc:44@2
pfcount -i zc:44@3
pfcount -i zc:44@4
pfcount -i zc:44@5
pfcount -i zc:44@6
pfcount -i zc:44@7
pfcount -i zc:44@8
pfcount -i zc:44@9
pfcount -i zc:44@10
pfcount -i zc:44@11
Application 1
pfcount -i zc:44@12
Snort runs like this (12 total):
/opt/pf/bin/snort -D -i zc:44@0 --daq-dir=/opt/pf/lib/daq \
--daq-var clusterid=44 --daq-var bindcpu=6 --daq pfring_zc \
-c /etc/snort/snort.conf -l /var/log/snort1 -R 1
and I can then capture packets with
/opt/pf/sbin/tcpdump -i zc:44@12 -Xnns0 -w /tmp/all.cap
It all seems to work - does this all look right?
Thanks, and sorry for spamming the list so much.
--
Jim Hranicky
Data Security Specialist
UF Information Technology
Information Security Office
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
