Hi Lars I guess you are using RSS queues, what you need is zbalance_ipc, which is a software load balancer. Please disable RSS (RSS=1,1) and run for instance: zbalance_ipc -i zc:ethX -c 99 -m 1 -n 4,2,1 where 4 is the number of queues for suricata, 2 for snort, and 1 for argus, just as an example. Take a look at the output for the queue names.
Alfredo > On 14 Oct 2015, at 10:51, Lars Kulseng <[email protected]> wrote: > > I am setting up some IDS tools to work with pf_ring in ZC-mode. So far my > testing has shown that 2 queues is sufficient for the traffic I'm seeing. > > Setting e.g. Suricata to use these two queues seems to bind them to Suricata, > meaning that other programs, e.g. Argus, cannot listen to the same data. > > Lets say I have 4 tools that I want to listen to the same traffic. How do I > setup pf_ring ZC to support this? Or, if this is not possible, Could I set up > some tools to use ZC and some to use vanilla pf_ring, reserving ZC for the > most resource intensive tools? > > Lars > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
