Please use README.1st as reference. What you need to know: 1. Use --daq-var clusterid=K where K is a unique number per snort instance, used for resource allocation 2. Use --daq-var bindcpu=K where K is the core id for affinity, please ignore interrupts affinity with ZC 3. Use “,” in -i in please of “+” for interfaces aggregation, “+” is used for IPS/IDS-bridge mode 4. We usually recommend using only the CPU where the NIC is connected, however since snort is (likely) the bottleneck, feel free to use all the cores available, setting RSS=N,N where N is the number of cores and the number of snort instances.
Alfredo > On 02 Dec 2015, at 15:08, James <[email protected]> wrote: > > Follow-up question - should I use the cluster-id parameter? > > This uses it: > https://svn.ntop.org/svn/ntop/trunk/attic/PF_RING/userland/snort/pfring-daq-module-zc/README.1st > > <https://svn.ntop.org/svn/ntop/trunk/attic/PF_RING/userland/snort/pfring-daq-module-zc/README.1st> > > But this does not: > http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/ > <http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/> > > On 2 December 2015 at 14:01, James <[email protected] > <mailto:[email protected]>> wrote: > Hi all, > > I posted a few weeks ago and have since got pf_ring with ZC working. I'm now > trying to decide how best to configure snort (in IDS mode). My server has 4 X > 12 core CPU's and two NIC's which are being fed one half each of a 10Gb > connection. > > I have a few key questions: > - Within the ixgbe zc load_drive.sh script, would the default 16 queue option > do, or would you choose something different: insmod ./ixgbe.ko MQ=1,1,1,1 > RSS=16,16,16,16 > > - Assuming the choice of 16 above, should I start 16 copies of Snort like > this (variation on the example from ntop website)? > snort -q --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf -l > /var/log/snort/eth4_eth5/instance-1 --daq-dir=/usr/local/lib/daq --daq > pfring_zc --daq-mode passive -i zc:eth4@0+zc:eth5@0 --daq-var idsbridge=1 > --daq-var bindcpu=0 > > The information on http://www.metaflows.com/features/pf_ring > <http://www.metaflows.com/features/pf_ring> about CPU affinity and interrupts > has confused me somewhat. > > Thanks > J. > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
