[Bro] Problems with our hardware

Vito Logrillo vitologrillo at gmail.com
Wed Jun 10 02:07:37 PDT 2015


Hi all,
i've made some tests using an hardware with these features:

* 2x Intel(R) Xeon(R) CPU E5320  @ 1.86GHz
* 8 GB RAM
* 8x 72GB disks 10000 rpm scsi
* Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet (rev 12)

Bro was configured in this way:

* Pf_ring aware drivers
* Bro 1.4 beta
* 2 workers

  [manager]
  type=manager
  host=localhost
  #
  [proxy-1]
  type=proxy
  host=localhost
  #
  [worker-1]
  type=worker
  host=localhost
  interface=eth1
  lb_method=pf_ring
  lb_procs=4
  #
  [worker-2]
  type=worker
  host=localhost
  interface=eth1
  lb_method=pf_ring
  lb_procs=4

I've used tcpreplay to send for 1 minute a known stream at full
bandwith:all data sent was fully analyzed by Bro only after 2hours!!

On this link
https://www.bro.org/sphinx-git/cluster/index.html
you have reported this rule of thumb

"The rule of thumb we have followed recently is to allocate
approximately 1 core for every 80Mbps of traffic that is being
analyzed. However, this estimate could be extremely traffic
mix-specific. It has generally worked for mixed traffic with many
users and servers. For example, if your traffic peaks around 2Gbps
(combined) and you want to handle traffic at peak load, you may want
to have 26 cores available (2048 / 80 == 25.6). If the 80Mbps estimate
works for your traffic, this could be handled by 3 physical hosts
dedicated to being workers with each one containing dual 6-core
processors."

Using your rule of thumb, Bro should complete the process in 2 minutes
(more or less) and not two hours: what's wrong? Any suggestion?
Regards,
Vito


More information about the Bro mailing list