[Bro] Solaris 10 pointers
scott campbell
scampbell at lbl.gov
Thu Nov 3 17:38:36 PST 2005
Paul Hyder wrote:
> Don't see anything in the email archive in the last few years.
>
> Google searches for specific Solaris bugs have helped but I
> still don't have a clean build. [Currently trying to find a
> way around the lack of asprintf.]
>
> If anyone has info/suggestions/URLs that will help me build bro on
> Solaris 10/x86 please let me know. [OR experience with 10G Ethernet
> on any OS.]
> Paul Hyder
> NOAA Earth System Research Laboratory, Global Systems Division
> Boulder, CO
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
We are currently using bro with a 10G ethernet connection, but the
solution may not be what you are looking for.
Since there are fundamental issues with handling that volume of data on
a PC architecture, we have exploited the use of VACL's on a border
facing cisco 65xx in order to extract what traffic we know will be
interesting, while avoiding the large flow issues that would otherwise
plague us. A Juniper can do the same thing except that they call it
filter based port mirroring.
We have used this technique quite successfully at the IEEE
Supercomputing conference every year for a while now and the technique
scales quite well (to dozens of 10 gig links). Please contact me if you
want more information about this.
As an option, you can also use a processing offload card that does most
of the pcap like filtering for you (typically in an ASIC type form).
The filtered data shows up as a network interface/device and you can use
it as you would any other feed. Metanetworks makes a card that we have
used for this purpose, but there are several other vendors who so quite
similar things.
If none of this is an option, I can point you to other documents that
discuss issues with regard to high speed data sampling using commodity
hardware. Depending on traffic characteristics and what actual volume
you are seeing, it may be quite possible to do this without significant
data loss.
Feel free to contact me if you have any other questions about this.
scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20051103/1098c140/attachment.bin
More information about the Bro
mailing list