Cool! But I can't believe you're Bro instance is doing much inspecting if it's receiving line-rate packets and only using 1% CPU. As I said before, the majority of the CPU time is usually in pattern matching and protocol decoding (which is basically pattern matching), so I'm assuming that unless the pattern matching is also hardware accelerated, you're not pattern matching much of the traffic being sent to Bro. Is that the case?<br>
<br>Thanks,<br><br>Martin<br><br><div class="gmail_quote">On Tue, Jun 16, 2009 at 9:34 AM, Jens Christophersen <span dir="ltr"><<a href="mailto:jc@napatech.com">jc@napatech.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">Hi Jason and Martin,</span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">I have with interest read mail tread about Napatech NT20E
adapters.</span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">The NT20E adapter is able to capture data at line speed for
any frame size from 64 bytes to 10000 bytes without slicing the frames. The
NT20E support many forms of slicing so the NT20E adapter can be setup to slice frames
if you want to reduce the amount of data transferred to the server memory, but
for a “Bro” application you probably don’t want to slice
frames. </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">If you want high “Bro” performance I can recommend
that you setup the NT20E to distribute frames to the number of CPU cores in
your server (e.g. 8) based on 5-tuple hash key. When you are using the Napatech
zero-copy LibPCAP you start the Napatech LibPcap library with a command file
with the following commands:</span></font></p>
<p><font size="2" face="Courier New"><span style="font-size: 10pt; font-family: "Courier New";"> DeleteFilter = All</span></font></p>
<p style="text-indent: 0.5in;"><font size="2" face="Courier New"><span style="font-size: 10pt; font-family: "Courier New";">SetupPacketFeedEngine[ TimeStampFormat=PCAP;</span></font></p>
<p style="margin-left: 2in; text-indent: 0.5in;"><font size="2" face="Courier New"><span style="font-size: 10pt; font-family: "Courier New";">DescriptorType=PCAP;</span></font></p>
<p style="margin-left: 2in; text-indent: 0.5in;"><font size="2" face="Courier New"><span style="font-size: 10pt; font-family: "Courier New";">MaxLatency=1000;</span></font></p>
<p style="margin-left: 2in; text-indent: 0.5in;"><font size="2" face="Courier New"><span style="font-size: 10pt; font-family: "Courier New";">SegmentSize=4096;</span></font></p>
<p style="margin-left: 2in; text-indent: 0.5in;"><font size="2" face="Courier New"><span style="font-size: 10pt; font-family: "Courier New";">Numfeeds=8
]</span></font></p>
<p style="text-indent: 0.5in;"><font size="2" face="Courier New"><span style="font-size: 10pt; font-family: "Courier New";">PacketFeedCreate[
NumSegments=128; Feed=(0..7) ]</span></font></p>
<p style="text-indent: 0.5in;"><font size="2" face="Courier New"><span style="font-size: 10pt; font-family: "Courier New";">HashMode = Hash5TupleSorted</span></font></p>
<p style="text-indent: 0.5in;"><font size="2" face="Courier New"><span style="font-size: 10pt; font-family: "Courier New";">Capture[ Feed = (0..7) ] = All</span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">Then frames are distributed to the 8 CPUs with a server CPU utilization
of less than 1% at full network load, so you have the full server CPU for your
Bro application.</span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;">Best regards, Jens</span></font></p>
<p><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial;"> </span></font></p>
<h1><b><font color="navy" size="2" face="Arial"><span style="font-size: 10pt; color: navy; font-weight: bold;">Yours Sincerely</span></font></b><b><font color="navy" size="2"><span style="font-size: 11pt; color: navy; font-weight: bold;"></span></font></b></h1>
<p><b><font color="black" size="3" face="Arial"><span style="font-size: 12pt; font-family: Arial; color: black; font-weight: bold;">Jens Christophersen</span></font></b><b><font color="navy" face="Arial"><span style="font-family: Arial; color: navy; font-weight: bold;"></span></font></b></p>
<p><b><font color="#999999" size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: rgb(153, 153, 153); font-weight: bold;">Chief
Technology Officer</span></font></b></p>
<p><font color="gray" size="1" face="Arial"><span style="font-size: 8pt; font-family: Arial; color: gray;"> </span></font></p>
<p><b><font color="gray" size="2" face="Lucida Console"><span style="font-size: 10pt; font-family: "Lucida Console"; color: gray; font-weight: bold;">Napatech A/S</span></font></b><font color="navy" face="Tahoma"><span style="font-family: Tahoma; color: navy;"></span></font></p>
<p><font color="gray" size="2" face="Lucida Console"><span style="font-size: 10pt; font-family: "Lucida Console"; color: gray;">Tobaksvejen
23A Phone: +45
4596 1500</span></font><font color="navy" face="Tahoma"><span style="font-family: Tahoma; color: navy;"></span></font></p>
<p><font color="gray" size="2" face="Lucida Console"><span style="font-size: 10pt; font-family: "Lucida Console"; color: gray;" lang="NO-BOK">DK-2860
Søborg
Fax: +45 6980 2970</span></font></p>
<p><font color="gray" size="2" face="Lucida Console"><span style="font-size: 10pt; font-family: "Lucida Console"; color: gray;" lang="NO-BOK">Denmark
Mobile: +45 3091 5773</span></font><font color="navy" face="Tahoma"><span style="font-family: Tahoma; color: navy;" lang="NO-BOK"></span></font></p>
<p><font color="gray" size="2" face="Lucida Console"><span style="font-size: 10pt; font-family: "Lucida Console"; color: gray;" lang="PT-BR"><a href="http://www.napatech.com" target="_blank">www.napatech.com</a>
E-mail: <a href="mailto:jc@napatech.com" target="_blank">jc@napatech.com</a></span></font><font color="navy"><span style="color: navy;" lang="PT-BR"></span></font></p>
<p><font size="3" face="Times New Roman"><span style="font-size: 12pt;" lang="DA"> </span></font></p>
</div>
</div>
</blockquote></div><br>