Project

General

Profile

Actions

Feature #1750

open

Set Suricata to listen to all network interfaces when using AF_PACKET

Added by Lars Kulseng almost 9 years ago. Updated almost 6 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
medium
Difficulty:
medium
Label:

Description

In a scenario where you have a lot of network interfaces, and not enough resources to start a Suricata instance for each interface, it would be beneficial to allow Suricata to listen to all ports at once.

This can be achieved by setting sll.sll_ifindex to 0 before binding to the interface with bind() [1]. When reading from the ring buffer, each frame will have the sockaddr_ll struct inside it, allowing for extraction of the interface that the frame came in on. [2]

[1] http://man7.org/linux/man-pages/man2/bind.2.html
[2] https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt

Actions

Also available in: Atom PDF