On Mon, Sep 22, 2014 at 5:12 PM, Elof Ofel <elof...@hotmail.com> wrote: > I have a single NIC, mon0, that constantly receive 800 Mbps of mirrored > traffic. > I want to split these 800 Mbps into smaller chunks and feed them to a couple > of virtual interfaces. > Each virtual interface can then have instance of 'snort' inspecting its > traffic. > > Say approximately 200 Mbps per interface = four interfaces. > That way, each of the four snort processes only get 200 Mbps of data to > inspect instead of having *one* single snort process (single-threaded) trying > to cope with 800 Mbps. > > (the problem I'm trying to solve is utilizing all cpu's. Currently one cpu > runs snort at 100% while all the other cpu's idle.) > > > The important thing though is that all packets in the connection need to be > diverted to the same virtual NIC. You can't send the SYN to NIC0 and the > SYN-ACK to NIC1, 'cause then neither snort-process-0 nor snort-process-1 see > the other side of the connection. > The loadbalancing must be based on a hash built from at least the > mac-addresses+IP-addresses. > > > So, what I think I'm looking for is a way to configure a lagg0 interface in > loadbalance mode, that take all the incoming traffic on mon0 and distribute > it over four virtual member NICs. (these four NICs would then probably be > configured to run in monitor mode.) > > > Do FreeBSD support what I'm looking for? How do I do it? Where should I look? > > /Elof > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Since this is below one Gig, would running separate snort processes on mon0 and using a BPF filter to split traffic work? --Nikolay _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
