[Bro] Hardware Experience

Tue Jun 16 14:58:07 PDT 2009

I believe the 1% utilization is in reference to the slight CPU
interaction with DMA transfers.  The rest is left to
<application_of_choice>.

>From what I understand of the documentation there are some pattern
matching capabilities in the NT20E that might be leveraged to deliver
specific traffic to the application.  I'm still reading if and how
running multiple Bro instances (using cpuset [1]) dedicated to certain
types of traffic will work.

[1]
http://www.freebsd.org/cgi/man.cgi?query=cpuset&sektion=1&apropos=0&manpath=FreeBSD+7.2-RELEASE

HTH,

--Jason

Martin Holste wrote:
> Cool!  But I can't believe you're Bro instance is doing much inspecting
> if it's receiving line-rate packets and only using 1% CPU.  As I said
> before, the majority of the CPU time is usually in pattern matching and
> protocol decoding (which is basically pattern matching), so I'm assuming
> that unless the pattern matching is also hardware accelerated, you're
> not pattern matching much of the traffic being sent to Bro.  Is that the
> case?
> 
> Thanks,
> 
> Martin
> 
> On Tue, Jun 16, 2009 at 9:34 AM, Jens Christophersen <jc at napatech.com
> <mailto:jc at napatech.com>> wrote:
> 
>     Hi Jason and Martin,
> 
>      
> 
>     I have with interest read mail tread about Napatech NT20E adapters.
> 
>      
> 
>     The NT20E adapter is able to capture data at line speed for any
>     frame size from 64 bytes to 10000 bytes without slicing the frames.
>     The NT20E support many forms of slicing so the NT20E adapter can be
>     setup to slice frames if you want to reduce the amount of data
>     transferred to the server memory, but for a “Bro” application you
>     probably don’t want to slice frames.
> 
>      
> 
>     If you want high “Bro” performance I can recommend that you setup
>     the NT20E to distribute frames to the number of CPU cores in your
>     server (e.g. 8) based on 5-tuple hash key. When you are using the
>     Napatech zero-copy LibPCAP you start the Napatech LibPcap library
>     with a command file with the following commands:
> 
>           DeleteFilter = All
> 
>     SetupPacketFeedEngine[  TimeStampFormat=PCAP;
> 
>     DescriptorType=PCAP;
> 
>     MaxLatency=1000;
> 
>     SegmentSize=4096;
> 
>     Numfeeds=8 ]
> 
>     PacketFeedCreate[ NumSegments=128; Feed=(0..7) ]
> 
>     HashMode = Hash5TupleSorted
> 
>     Capture[ Feed = (0..7) ] = All
> 
>      
> 
>     Then frames are distributed to the 8 CPUs with a server CPU
>     utilization of less than 1% at full network load, so you have the
>     full server CPU for your Bro application.
> 
>      
> 
>     Best regards, Jens
> 
>      
> 
> 
>       *Yours Sincerely***
> 
>     *Jens Christophersen***
> 
>     *Chief Technology Officer*
> 
>      
> 
>     *Napatech A/S*
> 
>     Tobaksvejen 23A              Phone:    +45 4596 1500
> 
>     DK-2860 Søborg               Fax:      +45 6980 2970
> 
>     Denmark                      Mobile:   +45 3091 5773
> 
>     www.napatech.com <http://www.napatech.com>             E-mail:
>     jc at napatech.com <mailto:jc at napatech.com>
> 
>      
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro