[Bro] Network capture cards -- your experience

Joel Ebrahimi jebrahimi at bivio.net
Fri Sep 12 14:43:40 PDT 2008 

Hi Jason,

I work for Bivio Networks and we have deployed Bro on our hardware and
achieved multi-gig monitoring throughput. Our hardware is a specialty
networking appliance and not commodity hardware with an accelerator
card.

Our appliance is a Linux based operating system with a distributed
multi-core architecture. In the system I ran testing on this on it was a
12 core system. Our systems can actually be daisy chained together using
a backplane cable, which would provide more cores for more horsepower. 

The configuration of Bro, size of the packets, and type of traffic that
is sent to the system can have significant impact on processing
throughput.  In most of the tests I ran I saw performance between
500Mb/s to 6Gb/s.

Im not really sure if that is information you are looking for but its
another option for high speed bro processing.

// Joel 


-----Original Message-----
From: bro-bounces at ICSI.Berkeley.EDU
[mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Jason Chambers
Sent: Friday, September 12, 2008 12:47 PM
To: bro at bro-ids.org
Subject: [Bro] Network capture cards -- your experience

Hello all,

I've read a number of research papers on using commodity hardware for
high speed network capture and I'd like to solicit real world feedback
on performance.

Endace products work great, however I'm interested to know of other
cards that prove to be worthwhile. 

If your running a custom built implementation that is processing >=
700Mbps on average then your the person I want to hear from.

Off-list replies are fine.  I'll summarize the results if people are
interested.

Thanks !

--Jason


Here are some metrics off the top of my head...


Card type (vendor, model, pci-e or pci-x)
    -

Card traffic is x or >= 700Mbps ?
    -

Device traffic is >= 1 Gbps (multiple 1 gig cards) ?
    -

Packets per second (average/max) ?
    -

Percentage of dropped traffic ?
    -

Operating system / device polling or MMAP used ?
    -

Processor type / number of cores ?
    -

Average CPU utilization ?
    -

Multiple applications connecting to the same pcap chain ?
    -


_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list