[Bro] Network capture cards -- your experience

[Matt Cuttler]

On 9/12/08 5:43 PM, "Joel Ebrahimi" <jebrahimi at bivio.net> wrote:

> Hi Jason,
> 
> I work for Bivio Networks and we have deployed Bro on our hardware and
> achieved multi-gig monitoring throughput. Our hardware is a specialty
> networking appliance and not commodity hardware with an accelerator
> card.
> 
> Our appliance is a Linux based operating system with a distributed
> multi-core architecture. In the system I ran testing on this on it was a
> 12 core system. Our systems can actually be daisy chained together using
> a backplane cable, which would provide more cores for more horsepower.
> 
> The configuration of Bro, size of the packets, and type of traffic that
> is sent to the system can have significant impact on processing
> throughput.  In most of the tests I ran I saw performance between
> 500Mb/s to 6Gb/s.
> 
> Im not really sure if that is information you are looking for but its
> another option for high speed bro processing.


Joel,

Please understand that this post is not intended to be antagonistic in any
way, but I remember Bivio claiming to (briefly) natively support Bro (with a
custom and/or pre-compiled and/or optimized-for-hardware version; IIRC it
was called "Brooklyn").

Policy prevents me from publicly endorsing any product/service/vendor
(etc..). I will say, though, that your appliances perform appx. as well as
the sales documents claim they do, in real-world use.

Which brings me to my question: is there a resurgence in Bro interest within
your company? Or are you simply stating above that you have a platform which
can run a NIDS stack at high speeds?

Public or private reply is O.K.

Thanks,
Matt Cuttler