AF-PACKET¶

Modern versions of Setup will configure Suricata and Zeek to use AF-PACKET instead of PF-RING. (Snort will continue to use PF-RING for load balancing until Snort 3.0 is released.)

If you want to change the number of AF-PACKET workers after running Setup, you can do the following.

Suricata¶

To change the number of AF-PACKET workers for Suricata:

Stop sensor processes:
```
sudo so-suricata-stop
```
Edit /etc/nsm/$HOSTNAME-$INTERFACE/sensor.conf and change the IDS_LB_PROCS variable to the desired number of workers.
Start sensor processes:
```
sudo so-suricata-start
```
so-suricata-start automatically copies $IDS_LB_PROCS into suricata.yaml and then Suricata creates the appropriate number of AF-PACKET workers.

Zeek¶

To change the number of AF-PACKET workers for Zeek:

Stop Zeek:
```
sudo so-zeek-stop
```
Edit /opt/bro/etc/node.cfg and change the lb_procs variable to the desired number of cores.
Start Zeek:
```
sudo so-zeek-start
```

tcpreplay¶

If you try to test AF-PACKET load balancing using tcpreplay locally, please note that load balancing will not work properly and all (or most) traffic will be handled by the first worker in the AF-PACKET cluster. If you need to test AF-PACKET load balancing properly, you can run tcpreplay on another machine connected to your AF-PACKET machine.