[Snort-users] listing daq-vars and confirming the cluster type of pfring
xiche at ...3147...
Mon May 29 13:45:11 EDT 2017
First of all, DAQ variables will never directly affect or configure
Snort, they are purely a construct of the DAQ module being used. In the
current version of libDAQ there is no way to query a DAQ module for
variables that it supports, so the best you can do is either look at the
source or the documentation for the particular module to determine which
variables may be set and the effect of doing so. As you probably know,
to pass a DAQ variable through Snort to the DAQ module, use the
--daq-var command line option in the form of "variable_name" (to define
the variable with a null value) or "variable_name=value" (to define the
variable with a value). If you really want to confirm anything that a
particular DAQ module is doing, you will need to at least examine the
code and potentially add some debug logging and recompile to be
On 05/12/2017 09:25 AM, Charlie Dyer wrote:
> Hello list
> Could someone tell me if there is a way of listing all the variables you
> can pass to the daq-vars option?
> I've tried looking in various header files but can't find anything.
> The reason I ask is to confirm what type of clustering pf_ring is using and
> whether you can tell it to use one type or the other. As I understand it
> from reading the pfring code, the type is either round-robin (the default)
> or flow-5-tuple, how can I tell snort/pfring/daq to use flow-5-tuple?
> It would be good to understand what all the daq-var variable are and what
> they do/how they affect snort.
> Many thanks in advance
More information about the Snort-users