[Bro] Solaris 10 pointers

scott campbell scampbell at lbl.gov
Thu Nov 3 17:38:36 PST 2005

Paul Hyder wrote:
> Don't see anything in the email archive in the last few years.
> Google searches for specific Solaris bugs have helped but I
> still don't have a clean build.  [Currently trying to find a
> way around the lack of asprintf.]
> If anyone has info/suggestions/URLs that will help me build bro on
> Solaris 10/x86 please let me know.  [OR experience with 10G Ethernet
> on any OS.]
>     Paul Hyder
>     NOAA Earth System Research Laboratory, Global Systems Division
>     Boulder, CO
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

We are currently using bro with a 10G ethernet connection, but the 
solution may not be what you are looking for.

Since there are fundamental issues with handling that volume of data on 
a PC architecture, we have exploited the use of VACL's on a border 
facing cisco 65xx in order to extract what traffic we know will be 
interesting, while avoiding the large flow issues that would otherwise 
plague us.  A Juniper can do the same thing except that they call it 
filter based port mirroring.

We have used this technique quite successfully at the IEEE 
Supercomputing conference every year for a while now and the technique 
scales quite well (to dozens of 10 gig links).  Please contact me if you 
want more information about this.

As an option, you can also use a processing offload card that does most 
of the pcap like filtering for you (typically in an ASIC type form). 
The filtered data shows up as a network interface/device and you can use 
it as you would any other feed.  Metanetworks makes a card that we have 
used for this purpose, but there are several other vendors who so quite 
similar things.

If none of this is an option, I can point you to other documents that 
discuss issues with regard to high speed data sampling using commodity 
hardware.  Depending on traffic characteristics and what actual volume 
you are seeing, it may be quite possible to do this without significant 
data loss.

Feel free to contact me if you have any other questions about this.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051103/1098c140/attachment.bin 

More information about the Bro mailing list