Updating network interfaces for traffic capture using DPDK in a multiserver configuration
When switching from PF_RING or AF_PACKET to DPDK, you need to specify the names of the network interfaces (in a new format) from which the sensor will capture traffic. You can view the list of network interfaces using the ptdpictl devlist command on the additional sensor sever. In the command output, an interface name is at the beginning of the block of each interface (starting with pci-, for example, pci-02-00-0).
/opt/ptsecurity/etc/ptdpi.settings.yaml file:sudo nano /opt/ptsecurity/etc/ptdpi.settings.yamlCapture settings section in the capture_if setting, specify and separate by space character the names of network interfaces whose traffic must be captured, for example:capture_if: pci-02-02-0 pci-03-00-0dpdk.interfaces.<name of the network interface from the previous step>: { ip-addr: <IP address of the interface> }dpdk.interfaces.pci-02-00-0: { ip-addr: 203.0.113.12 } dpdk.interfaces.pci-03-00-0: { ip-addr: 203.0.113.13 }
/opt/ptsecurity/etc/ptdpi.settings.yaml file.capture_if setting become available to the sensor and unavailable to the operating system when DPDK is used after the update is completed.If you specified a wrong network interface in the sensor configuration, you can return it to be used in the operating system with the command
/opt/ptsecurity/dpi/configure-nif.sh down <Network interface name>, for example, /opt/ptsecurity/dpi/configure-nif.sh down pci-02-00-0.