[Bro] Hardware Experience
jcarr at andrew.cmu.edu
Thu May 28 11:13:04 PDT 2009
One thing I noticed with the NT20E is that the web site states that "20
Gbps throughput @ 64 bytes". I'm assuming that this means that the
device only captures 64 bytes of the data section of a packet. I also
assume this is configurable. For some things that's fine, but in most
NIDS (such as Bro, snort, etc) you usually want the whole packet.
What are you using in terms of capture size and bandwidth, if you don't
mind me asking?
Jason Chambers wrote:
> Martin Holste wrote:
>> Your DAG experience is interesting. We demoed the 6.2SE's and they
>> seemed to run OK on libpcap apps for a few days in late 2006. We've
>> been running the smaller 1 Gb cousin, the 4.5G2, in production since
>> then with zero stability problems with libpcap apps. Link size is 1 Gb
>> physical, 450 Mb/sec typical load. In my experience though, the
>> difference maker is rarely in getting the packets to the CPU, but rather
>> in the CPU grepping through the packets fast enough. I anticipate that
>> the Bro cluster work will do more for full snaplength processing than
>> hardware acceleration will unless someone writes Bro for Nvidia's CUDA
>> like they wrote Snort for CUDA with Gnort.
> I recommend these cards available from nPulse networks.  (Napatech is
> the OEM). They have more features than the Endace cards and twice the
> port density. And, they fully support FreeBSD. Despite my numerous
> requests it seems Endace maintains that there will not be future support
> for FreeBSD due to lack of demand. To the best of my knowledge, the
> last official supported FreeBSD version from Endace is the 6.x train.
> Anyhow that's my personal gripe.
>  http://www.npulsenetworks.com/
> Napatech 2x10GE NT20E
> And when it's available, the NTNPU20E looks like a very exciting
> complement to the NT20E's. It was displayed at Interop but is still a
> few months out from release.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro