Re: pfring and traffic splitting

[Greg Williams <gwillia5 () uccs edu>]

Thanks Jack, that makes sense now.  Is there a way to run it utilizing pfring without multiqueue?  I tried removing the 
@queue and it only allows one process.

From: Jack [mailto:kingofnerds () gmail com]
Sent: Monday, November 05, 2012 10:35 AM
To: Greg Williams
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] pfring and traffic splitting


Your interfaces need to all be the same. Unless you are using an interface card which supports multiple queues.
On Nov 5, 2012 12:22 PM, "Greg Williams" <gwillia5 () uccs edu<mailto:gwillia5 () uccs edu>> wrote:
I have been running Snort 2.9.2 for quite a while.  I decided to look at the stats and it was dropping around 50% of 
the packets ~170Mbps.  I decided to install PFRING and update Snort..  My problem is that pfring doesn't look like it's 
splitting any traffic.  Any ideas?

/usr/local/bin/snort -D -c /etc/snort/snort.conf -i eth1@0 --daq-dir /usr/local/lib/daq --daq pfring --daq-mode passive 
--daq-var clusterid=10
/usr/local/bin/snort -D -c /etc/snort/snort1.conf -i eth1@1 --daq-dir /usr/local/lib/daq --daq pfring --daq-mode 
passive --daq-var clusterid=10
/usr/local/bin/snort -D -c /etc/snort/snort2.conf -i eth1@2 --daq-dir /usr/local/lib/daq --daq pfring --daq-mode 
passive --daq-var clusterid=10
/usr/local/bin/snort -D -c /etc/snort/snort3.conf -i eth1@3 --daq-dir /usr/local/lib/daq --daq pfring --daq-mode 
passive --daq-var clusterid=10

To show no alerts are processing(each config file has a different snort log to make sure snort is processing traffic 
differently):

-rw-------. 1 root  root    145163 Nov  5 09:37 snort.log.1352132863
-rw-------. 1 root  root         0 Nov  5 09:40 snort1.log.1352133627
-rw-------. 1 root  root         0 Nov  5 09:40 snort2.log.1352133634
-rw-------. 1 root  root         0 Nov  5 09:40 snort3.log.1352133640

Processes:

30428 ?        00:19:48 snort
30432 ?        00:00:00 snort
30435 ?        00:00:00 snort
30438 ?        00:00:00 snort

Only 1 process is at 100% CPU.  The other snort processes are idle.

Snort 2.9.3.1
DAQ 0.6.2
PFRING - latest
OS CentOS 6.3
Quad core
6GB ram - not pegged at the moment

Greg Williams



------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!