If you want to change the number of AF-PACKET workers after running Setup, you can do the following.
To change the number of AF-PACKET workers for Suricata:
Stop sensor processes:
/etc/nsm/$HOSTNAME-$INTERFACE/sensor.confand change the
IDS_LB_PROCSvariable to the desired number of workers.
Start sensor processes:
suricata.yamland then Suricata creates the appropriate number of AF-PACKET workers.
To change the number of AF-PACKET workers for Zeek:
/opt/bro/etc/node.cfgand change the
lb_procsvariable to the desired number of cores.
If you try to test AF-PACKET load balancing using tcpreplay locally, please note that load balancing will not work properly and all (or most) traffic will be handled by the first worker in the AF-PACKET cluster. If you need to test AF-PACKET load balancing properly, you can run tcpreplay on another machine connected to your AF-PACKET machine.