[Bro] BRO performance in a real world
mike.patterson at uwaterloo.ca
Mon Apr 22 12:34:39 PDT 2013
I just got my filthy paws on another host similar to the one I specced earlier. It will be getting similar-but-different loads to that one, on a slower CPU and with an Intel NIC instead of the DAG. Once I've got some performance numbers, I'll post those too.
I don't mind if people want to contact me, either on or off-list, to see how things are running and what I'm doing.
Seth, have you considered collecting these so they're not stashed in the mailing list archives? A "here's some performance numbers from real installations" kind of page. Maybe link it off http://bro.org/community/index.html ?
The most difficult thing in the world is to know how to do a thing and
to watch someone else doing it wrong, without commenting. - T.H. White
On 2013-04-22, at 3:23 PM, Seth Hall <seth at icir.org> wrote:
> On Apr 22, 2013, at 3:07 PM, Michal Purzynski <michal at rsbac.org> wrote:
>> I know that's a lot of questions, but trying to establish a baseline and
>> do some capacity planning here :) And there's nothing in google, apart
>> from some (i guess old) statement, that a single bro process can handle
>> up to 80Mbit/sec.
> Yeah, I begrudgingly wrote that because the question came up so frequently. It was based on old estimates and doesn't seem to be as relevant anymore. I know of sites doing everything from 100Mbps/core to >500Mbps/core, it depends heavily on the clock rate of the CPU and how you are capturing packets.
> In the case of the site with >500Mbps/core, they are using an Endace DAG card and skipping the OS nearly completely to acquire packets and their per-core clock rate is 3.7Ghz I believe.
> With 2GHz cores, you likely won't hit that speed, but it will almost certainly be faster than that horribly documented 80Mbps. :)
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
More information about the Bro