[Snort-users] Channel bonding in Linux --- brief HOWTO

Bennett Todd bet at ...6163...
Wed Oct 2 11:03:21 EDT 2002

In Red Hat 7.3, with the default 2.4.18-3 kernel, it's really easy
to bond multiple channels to snort them all. The technique is
documented in /usr/src/linux/Documentation/networking/bonding.txt.
In brief:

	grep bond0 /etc/modules.conf || echo alias bond0 bonding >/etc/modules.conf
	ifconfig bond0 up
	for if in eth1 eth2 ...;do
		ifconfig $if up
		ifenslave bond0 $if
	snort ... -i bond0 ...

Works great. The ifenslave invocations whinge a bit about all the
things they can't do with the unnumbered interfaces, but it all

I used 3 Compaq DL-320s for a test setup. Each of these comes with
two eepro100 interfaces; in one I've added a third such interface in
the PCI slot. On each box the eth0 is the mgmt interface (NB when
you add a PCI card eepro100 it becomes eth0 and the two builtin NICs
renumber to eth1 and eth2).

Besides running the eth0 interfaces to a hub, I tied the two eth1s
from the dual-interface traffic generators to the eth1 and eth2
builtins on the 3-interface box, with crossover cables, running
100BaseT. I used the above invocations to get snort cooking with
its default sigs, listening to bond0 with eth1 and eth2 enslaved to
it. Snort sat idle. I fired up a ping -f on one of the generators
and snort jumped up to 25% CPU; then launched ping -f on the
other generator and it jumped to 55%. Each generator was emitting
c. 20,000 packets/second, default ping packet size (64 bytes).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021002/b513302d/attachment.sig>

More information about the Snort-users mailing list