[Bro] linux vs freebsd
Peter Van Epp
vanepp at sfu.ca
Fri Dec 5 10:58:31 PST 2008
On Wed, Dec 03, 2008 at 12:39:26PM -0800, Vern Paxson wrote:
> > My understanding has always been that performance is
> > much better under FreeBSD due to the way bpf is implemented
> Historically that's been true.
> > but is it
> > workable on Linux as well? Anyone had experience with a production Bro box
> > on Linux?
> One of our production Bro boxes is running Linux. It occasionally drops
> packets under a not very heavy load (it's monitoring a 100 Mbps link that's
> not used heavily), but so far I haven't been able to correlate these with
> a particular cause such as high-rate traffic spikes.
> That said, we continue to use FreeBSD for our very-high-performance
> (1-10 Gbps) systems. I don't know whether the Linux packet capture has
> improved to where it could also take on these loads (that would of course
> require that the drops seen on the 100 Mbps link aren't due simply to
> packet rate). Linux is supposed to have gotten quite a bit better in
> this regard.
> Bro mailing list
> bro at bro-ids.org
If you haven't already, you may want to try Phil Wood's mmapped pcap
library from http://public.lanl.gov/cpw/. While I haven't beat on this one at
high volumes I have had argus losing more than %50 of the traffic on a loaded
(jumbo frame) gig link and reduced that to close to 0 loss with the pf-ring
mmapped linux code. Pf-ring (from www.ntop.org) is hard to get in and then
somewhat unstable (at least in my experience but then we have web100 in the
same kernel which may not be helping :-)). Phil Wood's code needs no kernel
mods just the libpcap library rebuilt and an environment variable set to
cause the program to use the mmap functions.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the Bro