Are you running snort at the same time perhaps? Please note that running two applications on the same interface is not allowed with ZC (it is still possible to use zbalance_ipc to fanout the traffic). You said you are using the tcpdump part of pf_ring right?
Alfredo > On 10 Dec 2015, at 14:59, James <[email protected]> wrote: > > Hi Alfredo, > > For the lists benefit, I have (with your help) solved my problem by > increasing $HUGEPAGES to 2048 in the load_driver script. I now have 16 > instances of Snort running and alerts are being generated. I am surprised by > how few alerts are occurring though and wanted to verify what traffic was > being seen. I thought tcpdump would be a good way to do this, so compiled the > pf_ring version, but I can't get that to display any traffic on either of my > two interfaces. I've tried: > "tcpdump -i eth4" (or 5) which functions but shows no traffic > "tcpdump -i zc:eth4" > "tcpdump -i zc:eth4@0" both of which fail, telling me there is no such device > > Sorry for asking so many questions, but any ideas please? > > Thanks > James
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
