Elof Ofel wrote this message on Mon, Sep 22, 2014 at 17:12 +0200:
> I have a single NIC, mon0, that constantly receive 800 Mbps of mirrored
> traffic.
> I want to split these 800 Mbps into smaller chunks and feed them to a couple
> of virtual interfaces.
> Each virtual interface can then have instance of 'snort' inspecting its
> traffic.
>
> Say approximately 200 Mbps per interface = four interfaces.
> That way, each of the four snort processes only get 200 Mbps of data to
> inspect instead of having *one* single snort process (single-threaded) trying
> to cope with 800 Mbps.
>
> (the problem I'm trying to solve is utilizing all cpu's. Currently one cpu
> runs snort at 100% while all the other cpu's idle.)
>
>
> The important thing though is that all packets in the connection need to be
> diverted to the same virtual NIC. You can't send the SYN to NIC0 and the
> SYN-ACK to NIC1, 'cause then neither snort-process-0 nor snort-process-1 see
> the other side of the connection.
> The loadbalancing must be based on a hash built from at least the
> mac-addresses+IP-addresses.
>
>
> So, what I think I'm looking for is a way to configure a lagg0 interface in
> loadbalance mode, that take all the incoming traffic on mon0 and distribute
> it over four virtual member NICs. (these four NICs would then probably be
> configured to run in monitor mode.)
>
>
> Do FreeBSD support what I'm looking for? How do I do it? Where should I look?
One possible option (and I say possible in that I have no clue if it
would work) is to use lagg onto n tap interfaces... The lagg splits
the traffic, and the tap interfaces accept it... Though you may have
to do something special to throw away the traffic...
You could also possibly do something similar w/ netgraph, say one2many+bpf
(w/ basicly the same rule as lagg) to ng_ether..
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
