[Bro] Hardware Experience
jchambers at ucla.edu
Thu May 28 13:25:46 PDT 2009
Sorry to reply to my own post. Maybe this link explains the details better.
Jason Chambers wrote:
> The tech sheet says otherwise. "Full-line-rate processing for all
> frames from 64 bytes to 10.000 bytes".
> I cannot comment on our setup at the moment as hardware is pending.
> Jason Carr wrote:
>> One thing I noticed with the NT20E is that the web site states that "20
>> Gbps throughput @ 64 bytes". I'm assuming that this means that the
>> device only captures 64 bytes of the data section of a packet. I also
>> assume this is configurable. For some things that's fine, but in most
>> NIDS (such as Bro, snort, etc) you usually want the whole packet.
>> What are you using in terms of capture size and bandwidth, if you don't
>> mind me asking?
>> - Jason
>> Jason Chambers wrote:
>>> Martin Holste wrote:
>>>> Your DAG experience is interesting. We demoed the 6.2SE's and they
>>>> seemed to run OK on libpcap apps for a few days in late 2006. We've
>>>> been running the smaller 1 Gb cousin, the 4.5G2, in production since
>>>> then with zero stability problems with libpcap apps. Link size is 1 Gb
>>>> physical, 450 Mb/sec typical load. In my experience though, the
>>>> difference maker is rarely in getting the packets to the CPU, but rather
>>>> in the CPU grepping through the packets fast enough. I anticipate that
>>>> the Bro cluster work will do more for full snaplength processing than
>>>> hardware acceleration will unless someone writes Bro for Nvidia's CUDA
>>>> like they wrote Snort for CUDA with Gnort.
>>> I recommend these cards available from nPulse networks.  (Napatech is
>>> the OEM). They have more features than the Endace cards and twice the
>>> port density. And, they fully support FreeBSD. Despite my numerous
>>> requests it seems Endace maintains that there will not be future support
>>> for FreeBSD due to lack of demand. To the best of my knowledge, the
>>> last official supported FreeBSD version from Endace is the 6.x train.
>>> Anyhow that's my personal gripe.
>>>  http://www.npulsenetworks.com/
>>> Napatech 2x10GE NT20E
>>> And when it's available, the NTNPU20E looks like a very exciting
>>> complement to the NT20E's. It was displayed at Interop but is still a
>>> few months out from release.
>>> Bro mailing list
>>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
jchambers at ucla.edu
More information about the Bro