[Bro] Question about network cards

Brandon Glaze bglaze at gmail.com
Tue Jun 7 09:19:15 PDT 2016

I have had a great deal of success using Netronome cards. I built a couple
of clusters using older Netronome NFE-3240's, but am getting ready to test
their new NFP-4000 based cards (AgilIO 40Gx1 cards). The netronome NFP
(Network Flow Processor) uses a packet coalescing driver or network flow
capture driver to load balance traffic to seperate "rings". For Bro, and
the load balancers we use, I use both 10G ports on each card (1 card per
server), then have the packet coalescing driver load balance the traffic
from both ports to all available rings (at 100Mb per ring), then tie a CPU
core to each ring. It takes some tuning, and depends on your traffic, but I
have successfully hit 80G using one cluster with off the shelf servers and
the older netronome cards, which were far cheaper than the Myricoms.

There is more support from the community with the Myricom cards, and Bro
has native support, so that should be factored in...

Just a note, SourceFire and Cisco use the Netronome cards in their network
security products (or used to before Cisco assimilated SourceFire), so they
are high end and work very well. Their API is well documented as well.

Brandon Glaze
bglaze at gmail.com

"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr

On Tue, Apr 12, 2016 at 1:23 PM, Giesige, Rich <Rich.Giesige at oregonstate.edu
> wrote:

> Hello,
> I’m wondering what people are using for network cards in their bro
> clusters that are not using the Myricom Network Cards. We don’t have a
> $1,000 dollars per a card + license to spend on the cards. Is anyone using
> Intel or other brands that aren’t as expensive to capture their traffic? We
> are looking at doing all 10 Gig connections into the Bro Cluster.
> Thanks for all your answers.
> --
> Richard Giesige
> IT Security Analyst
> Office of Information Security
> Oregon State University
> "OSU staff will NEVER ask for you password.
> Never email or share your password with anyone."
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160607/8306609a/attachment.html 

More information about the Bro mailing list