[Bro] Hardware Experience

Jason Chambers jchambers at ucla.edu
Tue Jun 2 12:09:39 PDT 2009

Something I found out about these cards is they are PCIe v1.1.. "PCIe
v2.0 compatible" doesn't mean what I thought it did.  So even with a
PCIe v2.0 system you can only get 12.5 Gbps from the card.

No idea at the moment when they will have a 2.0 version.


Jason Carr wrote:
> One thing I noticed with the NT20E is that the web site states that "20
> Gbps throughput @ 64 bytes".  I'm assuming that this means that the
> device only captures 64 bytes of the data section of a packet.  I also
> assume this is configurable.  For some things that's fine, but in most
> NIDS (such as Bro, snort, etc) you usually want the whole packet.
> What are you using in terms of capture size and bandwidth, if you don't
> mind me asking?
> - Jason
> Jason Chambers wrote:
>> Martin Holste wrote:
>>> Your DAG experience is interesting.  We demoed the 6.2SE's and they
>>> seemed to run OK on libpcap apps for a few days in late 2006.  We've
>>> been running the smaller 1 Gb cousin, the 4.5G2, in production since
>>> then with zero stability problems with libpcap apps.  Link size is 1 Gb
>>> physical, 450 Mb/sec typical load.  In my experience though, the
>>> difference maker is rarely in getting the packets to the CPU, but rather
>>> in the CPU grepping through the packets fast enough.  I anticipate that
>>> the Bro cluster work will do more for full snaplength processing than
>>> hardware acceleration will unless someone writes Bro for Nvidia's CUDA
>>> like they wrote Snort for CUDA with Gnort.
>> I recommend these cards available from nPulse networks. [1] (Napatech is
>> the OEM).  They have more features than the Endace cards and twice the
>> port density.  And, they fully support FreeBSD.  Despite my numerous
>> requests it seems Endace maintains that there will not be future support
>> for FreeBSD due to lack of demand.  To the best of my knowledge, the
>> last official supported FreeBSD version from Endace is the 6.x train.
>> Anyhow that's my personal gripe.
>> [1] http://www.npulsenetworks.com/
>> Napatech 2x10GE NT20E
>> http://www.napatech.com/products/capture_adapters/2x10g_pcie_nt20e.html
>> And when it's available, the NTNPU20E looks like a very exciting
>> complement to the NT20E's.  It was displayed at Interop but is still a
>> few months out from release.
>> http://www.napatech.com/products/inspect_adapters.html
>> HTH,
>> --Jason
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


Jason Chambers
jchambers at ucla.edu

More information about the Bro mailing list