af-packet.rst

AF-PACKET

Modern versions of Setup will configure Suricata and Zeek to use AF-PACKET instead of PF-RING.

Note

Snort will continue to use PF-RING for load balancing until Snort 3.0 is released.

If you want to change the number of AF-PACKET workers after running Setup, you can do the following.

Suricata

To change the number of AF-PACKET workers for Suricata:

• Stop sensor processes:

  sudo so-suricata-stop
  

• Edit /etc/nsm/$HOSTNAME-$INTERFACE/sensor.conf and change the IDS_LB_PROCS variable to the desired number of workers.

• Start sensor processes:

  sudo so-suricata-start
  

• so-suricata-start automatically copies $IDS_LB_PROCS into suricata.yaml and then Suricata creates the appropriate number of AF-PACKET workers.

Zeek

To change the number of AF-PACKET workers for Zeek:

• Stop Zeek:

  sudo so-zeek-stop
  

• Edit /opt/bro/etc/node.cfg and change the lb_procs variable to the desired number of cores.

• Start Zeek:

  sudo so-zeek-start
  

tcpreplay

Warning

If you try to test AF-PACKET load balancing using tcpreplay locally, please note that load balancing will not work properly and all (or most) traffic will be handled by the first worker in the AF-PACKET cluster. If you need to test AF-PACKET load balancing properly, you can run tcpreplay on another machine connected to your AF-PACKET machine.