[Bro] linux vs freebsd

Peter Van Epp vanepp at sfu.ca
Fri Dec 5 10:58:31 PST 2008

On Wed, Dec 03, 2008 at 12:39:26PM -0800, Vern Paxson wrote:
> > My understanding has always been that performance is
> > much better under FreeBSD due to the way bpf is implemented
> Historically that's been true.
> > but is it
> > workable on Linux as well? Anyone had experience with a production Bro box
> > on Linux?
> One of our production Bro boxes is running Linux.  It occasionally drops
> packets under a not very heavy load (it's monitoring a 100 Mbps link that's
> not used heavily), but so far I haven't been able to correlate these with
> a particular cause such as high-rate traffic spikes.
> That said, we continue to use FreeBSD for our very-high-performance
> (1-10 Gbps) systems.  I don't know whether the Linux packet capture has
> improved to where it could also take on these loads (that would of course
> require that the drops seen on the 100 Mbps link aren't due simply to
> packet rate).  Linux is supposed to have gotten quite a bit better in
> this regard.
> 		Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

	If you haven't already, you may want to try Phil Wood's mmapped pcap
library from http://public.lanl.gov/cpw/. While I haven't beat on this one at 
high volumes I have had argus losing more than %50 of the traffic on a loaded 
(jumbo frame) gig link and reduced that to close to 0 loss with the pf-ring 
mmapped linux code. Pf-ring (from www.ntop.org) is hard to get in and then 
somewhat unstable (at least in my experience but then we have web100 in the 
same kernel which may not be helping :-)). Phil Wood's code needs no kernel 
mods just the libpcap library rebuilt and an environment variable set to 
cause the program to use the mmap functions.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the Bro mailing list