Hi all, I posted a few weeks ago and have since got pf_ring with ZC working. I'm now trying to decide how best to configure snort (in IDS mode). My server has 4 X 12 core CPU's and two NIC's which are being fed one half each of a 10Gb connection.
I have a few key questions: - Within the ixgbe zc load_drive.sh script, would the default 16 queue option do, or would you choose something different: insmod ./ixgbe.ko MQ=1,1,1,1 RSS=16,16,16,16 - Assuming the choice of 16 above, should I start 16 copies of Snort like this (variation on the example from ntop website)? snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l /var/log/snort/eth4_eth5/instance-1 --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@0+zc:eth5@0 --daq-var idsbridge=1 --daq-var bindcpu=0 The information on http://www.metaflows.com/features/pf_ring about CPU affinity and interrupts has confused me somewhat. Thanks J.
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
