Your DAG experience is interesting. We demoed the 6.2SE's and they seemed to run OK on libpcap apps for a few days in late 2006. We've been running the smaller 1 Gb cousin, the 4.5G2, in production since then with zero stability problems with libpcap apps. Link size is 1 Gb physical, 450 Mb/sec typical load. In my experience though, the difference maker is rarely in getting the packets to the CPU, but rather in the CPU grepping through the packets fast enough. I anticipate that the Bro cluster work will do more for full snaplength processing than hardware acceleration will unless someone writes Bro for Nvidia's CUDA like they wrote Snort for CUDA with Gnort.<br>
<br>--Martin <br><br><div class="gmail_quote">On Wed, May 27, 2009 at 11:21 PM, Aashish Sharma <span dir="ltr"><<a href="mailto:aashish@uiuc.edu">aashish@uiuc.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Sean:<br>
<br>
Back in 2006 we got 4 Dag 6.2SE cards to monitor our 10G links. During the time we were running firmware 2.5.7.5. on the cards. We had real hard time keeping Bro running reliably in a sustained manner using Dag cards. We encountered a lot of issues - including lack of drivers, lack of built in support for libpcap, crashing of Bro repeatedly, heating up and crashing of system as well.<br>
<br>
In fact, Robin helped us quite a bit and even wrote drivers and support for Dag in Bro. Endace support was prompt too and they provided us with a new modified firmware but not much changed.<br>
<br>
During all that time, For production Bro we relied on a pair of Intel 10G cards while we resolve this issue with Dag cards (spent considerable time trying to get this working),<br>
<br>
All in all, we had lot of issues running Dag capture cards reliably. Eventually, we gave up and got Myricom 10G cards. We have been quite happy with Myricom cards and have not encountered any issues since.<br>
<br>
Hope this helps,<br>
<font color="#888888"><br>
Aashish Sharma<br>
NCSA<br>
</font><div><div></div><div class="h5"><br>
<br>
On Wed, May 27, 2009 at 02:54:39PM -0600, Sean McCreary wrote:<br>
> I'd be careful about purchasing 10G NICs for packet capture. I have not<br>
> been able to configure a FreeBSD 6.3 system with a Myricom Myri-10G NIC<br>
> to reliably capture traffic on a lightly loaded link (~2Mb/s, ~240<br>
> kpps). One option I'm interested in trying is the Endace DAG,<br>
> <<a href="http://www.endace.com/dag-network-monitoring-cards.html" target="_blank">http://www.endace.com/dag-network-monitoring-cards.html</a>>. Does anyone<br>
> have experience using these cards with bro?<br>
><br>
> Nick Buraglio wrote:<br>
> > Good afternoon, list. I'm hoping to get a quick opinion on some<br>
> > hardware. I've done some brief looking and not really found what I'm<br>
> > seeking so I'll post here in hopes that one of you can share some<br>
> > experience.<br>
> > I'm exploring deployment of some Bro boxes and was hoping to leverage<br>
> > a great deal that Sun is offering to get the hardware. I know that<br>
> > the boxes can do what I need them to do, as I've worked on Bro<br>
> > implementations elsewhere. What I'd really like to know is if anyone<br>
> > has used the Sun (Intel Chipset 82598) dual port 10g cards? They're a<br>
> > decent savings of capitol, but I'd rather just spend the money to get<br>
> > the cards I'm used to (single port 10g Intel or Myricom) if the dual<br>
> > port cards behave strangely or are a time-vortex to get working.<br>
> > I'm making an assumption that the dual port cards operate similar to<br>
> > the single port cards. Has anyone used these in a bro deployment?<br>
> ><br>
> ><br>
> > Thanks,<br>
> > nb<br>
> > ---<br>
> > Nick Buraglio<br>
> > Network Engineer, CITES, University of Illinois<br>
> > GPG key 0x2E5B44F4<br>
> > Phone: 217.244.6428<br>
> > <a href="mailto:buraglio@illinois.edu">buraglio@illinois.edu</a><br>
> _______________________________________________<br>
> Bro mailing list<br>
> <a href="mailto:bro@bro-ids.org">bro@bro-ids.org</a><br>
> <a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro</a><br>
_______________________________________________<br>
Bro mailing list<br>
<a href="mailto:bro@bro-ids.org">bro@bro-ids.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro</a><br>
</div></div></blockquote></div><br>