Re: pfring and traffic splitting

[Jack <kingofnerds () gmail com>]

Your interfaces need to all be the same. Unless you are using an interface
card which supports multiple queues.
On Nov 5, 2012 12:22 PM, "Greg Williams" <gwillia5 () uccs edu> wrote:

>  I have been running Snort 2.9.2 for quite a while.  I decided to look at
> the stats and it was dropping around 50% of the packets ~170Mbps.  I
> decided to install PFRING and update Snort..  My problem is that pfring
> doesn’t look like it’s splitting any traffic.  Any ideas?****
>
> ** **
>
> /usr/local/bin/snort -D -c /etc/snort/snort.conf -i eth1@0 --daq-dir
> /usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid=10*
> ***
>
> /usr/local/bin/snort -D -c /etc/snort/snort1.conf -i eth1@1 --daq-dir
> /usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid=10*
> ***
>
> /usr/local/bin/snort -D -c /etc/snort/snort2.conf -i eth1@2 --daq-dir
> /usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid=10*
> ***
>
> /usr/local/bin/snort -D -c /etc/snort/snort3.conf -i eth1@3 --daq-dir
> /usr/local/lib/daq --daq pfring --daq-mode passive --daq-var clusterid=10*
> ***
>
> ** **
>
> To show no alerts are processing(each config file has a different snort
> log to make sure snort is processing traffic differently):****
>
> ** **
>
> -rw-------. 1 root  root    145163 Nov  5 09:37 snort.log.1352132863****
>
> -rw-------. 1 root  root         0 Nov  5 09:40 snort1.log.1352133627****
>
> -rw-------. 1 root  root         0 Nov  5 09:40 snort2.log.1352133634****
>
> -rw-------. 1 root  root         0 Nov  5 09:40 snort3.log.1352133640****
>
> ** **
>
> Processes:****
>
> ** **
>
> 30428 ?        00:19:48 snort****
>
> 30432 ?        00:00:00 snort****
>
> 30435 ?        00:00:00 snort****
>
> 30438 ?        00:00:00 snort****
>
> ** **
>
> Only 1 process is at 100% CPU.  The other snort processes are idle.****
>
> ** **
>
> Snort 2.9.3.1****
>
> DAQ 0.6.2****
>
> PFRING - latest****
>
> OS CentOS 6.3****
>
> Quad core****
>
> 6GB ram – not pegged at the moment****
>
> ** **
>
> Greg Williams
>
>
> ****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> LogMeIn Central: Instant, anywhere, Remote PC access and management.
> Stay in control, update software, and manage PCs from one command center
> Diagnose problems and improve visibility into emerging IT issues
> Automate, monitor and manage. Do more in less time with Central
> http://p.sf.net/sfu/logmein12331_d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!