Using multiple interfaces standalone configuration

Hi all,

I know that this has been asked a few times already but I can’t find an answer to this question that actually works on my machine. Ill try to keep it short.

What would my node.cfg file look like if I want a standalone configuration to listen on multiple network interfaces installed on the same machine?

I have tried setting up a ‘local cluster’, used the -i flag to define multiple interfaces and tried to configure it using PFring parameters in the node.cfg file. Nothing seems to work so far. Maybe I did it wrong but I would like to know what the ‘official’ method would be to do this.

Any help would be much appreciated!

Hi,

we use multiple worker definitions in our node.cfg; see below.
We use af_packet instead of pf_ring and have pinned the number of worker processess to specific CPU- cores. Next to that, we always rename our capture interfaces through udev rules to pcap0, pcap1, etc. to get a general configuration and don’t have to deal with the actual interfaces names as the will be different on different hardware setups. That is what you’ll see below.

[worker-1]
type=worker
host=localhost
lb_procs=28
lb_method=custom
pin_cpus=2,3,4,5,6,7,8,9,10,11,12,13,14,15,34,35,36,37,38,39,40,41,42,43,44,45,46,47
interface=af_packet::pcap0
af_packet_fanout_id=25
af_packet_fanout_mode=AF_Packet::FANOUT_QM
af_packet_buffer_size=134217728

[worker-2]
type=worker
host=localhost
lb_procs=28
lb_method=custom
pin_cpus=18,19,20,21,22,23,24,25,26,27,28,29,30,31,50,51,52,53,54,55,56,57,58,59,60,61,62,63
interface=af_packet::pcap1
af_packet_fanout_id=30
af_packet_fanout_mode=AF_Packet::FANOUT_QM
af_packet_buffer_size=134217728

Hope this helps.

Cheers, John

Thanks John!

I have tried this worker approach and fixed some issues that I apparently did not notice earlier. Cough the zeek port was already in use cough. Thanks to your config and my brain braining everything seems to work fine now!