Follow-up question - should I use the cluster-id parameter? This uses it: https://svn.ntop.org/svn/ntop/trunk/attic/PF_RING/userland/snort/pfring-daq-module-zc/README.1st
But this does not: http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/ On 2 December 2015 at 14:01, James <[email protected]> wrote: > Hi all, > > I posted a few weeks ago and have since got pf_ring with ZC working. I'm > now trying to decide how best to configure snort (in IDS mode). My server > has 4 X 12 core CPU's and two NIC's which are being fed one half each of a > 10Gb connection. > > I have a few key questions: > - Within the ixgbe zc load_drive.sh script, would the default 16 queue > option do, or would you choose something different: insmod ./ixgbe.ko > MQ=1,1,1,1 RSS=16,16,16,16 > > - Assuming the choice of 16 above, should I start 16 copies of Snort like > this (variation on the example from ntop website)? > snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf > -l /var/log/snort/eth4_eth5/instance-1 --daq-dir=/usr/local/lib/daq --daq > pfring_zc --daq-mode passive -i zc:eth4@0+zc:eth5@0 --daq-var idsbridge=1 > --daq-var bindcpu=0 > > The information on http://www.metaflows.com/features/pf_ring about CPU > affinity and interrupts has confused me somewhat. > > Thanks > J. >
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
