[Bro] Hardware Experience

Martin Holste mcholste at gmail.com
Tue Jun 16 07:50:07 PDT 2009 

Cool!  But I can't believe you're Bro instance is doing much inspecting if
it's receiving line-rate packets and only using 1% CPU.  As I said before,
the majority of the CPU time is usually in pattern matching and protocol
decoding (which is basically pattern matching), so I'm assuming that unless
the pattern matching is also hardware accelerated, you're not pattern
matching much of the traffic being sent to Bro.  Is that the case?

Thanks,

Martin

On Tue, Jun 16, 2009 at 9:34 AM, Jens Christophersen <jc at napatech.com>wrote:

>  Hi Jason and Martin,
>
>
>
> I have with interest read mail tread about Napatech NT20E adapters.
>
>
>
> The NT20E adapter is able to capture data at line speed for any frame size
> from 64 bytes to 10000 bytes without slicing the frames. The NT20E support
> many forms of slicing so the NT20E adapter can be setup to slice frames if
> you want to reduce the amount of data transferred to the server memory, but
> for a “Bro” application you probably don’t want to slice frames.
>
>
>
> If you want high “Bro” performance I can recommend that you setup the NT20E
> to distribute frames to the number of CPU cores in your server (e.g. 8)
> based on 5-tuple hash key. When you are using the Napatech zero-copy LibPCAP
> you start the Napatech LibPcap library with a command file with the
> following commands:
>
>       DeleteFilter = All
>
> SetupPacketFeedEngine[  TimeStampFormat=PCAP;
>
> DescriptorType=PCAP;
>
> MaxLatency=1000;
>
> SegmentSize=4096;
>
> Numfeeds=8 ]
>
> PacketFeedCreate[ NumSegments=128; Feed=(0..7) ]
>
> HashMode = Hash5TupleSorted
>
> Capture[ Feed = (0..7) ] = All
>
>
>
> Then frames are distributed to the 8 CPUs with a server CPU utilization of
> less than 1% at full network load, so you have the full server CPU for your
> Bro application.
>
>
>
> Best regards, Jens
>
>
> *Yours Sincerely***
>
> *Jens Christophersen***
>
> *Chief Technology Officer*
>
>
>
> *Napatech A/S*
>
> Tobaksvejen 23A              Phone:    +45 4596 1500
>
> DK-2860 Søborg               Fax:      +45 6980 2970
>
> Denmark                      Mobile:   +45 3091 5773
>
> www.napatech.com             E-mail: jc at napatech.com
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090616/a635b670/attachment.html

More information about the Bro mailing list