I have a single NIC, mon0, that constantly receive 800 Mbps of mirrored traffic.
I want to split these 800 Mbps into smaller chunks and feed them to a couple of
virtual interfaces.
Each virtual interface can then have instance of 'snort' inspecting its traffic.
Say approximately 200 Mbps per interface = four interfaces.
That way, each of the four snort processes only get 200 Mbps of data to inspect
instead of having *one* single snort process (single-threaded) trying to cope
with 800 Mbps.
(the problem I'm trying to solve is utilizing all cpu's. Currently one cpu runs
snort at 100% while all the other cpu's idle.)
The important thing though is that all packets in the connection need to be
diverted to the same virtual NIC. You can't send the SYN to NIC0 and the
SYN-ACK to NIC1, 'cause then neither snort-process-0 nor snort-process-1 see
the other side of the connection.
The loadbalancing must be based on a hash built from at least the
mac-addresses+IP-addresses.
So, what I think I'm looking for is a way to configure a lagg0 interface in
loadbalance mode, that take all the incoming traffic on mon0 and distribute it
over four virtual member NICs. (these four NICs would then probably be
configured to run in monitor mode.)
Do FreeBSD support what I'm looking for? How do I do it? Where should I look?
/Elof
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
