[Bro] Hardware Experience

Nick Buraglio buraglio at illinois.edu
Mon Jun 29 14:22:05 PDT 2009 

I actually did quite a bit of the work with Aashish on the Dag and  
Myricom cards (I was the one that gave them to him back when I still  
worked at NCSA), and like he said we had lots of issues with them.   
Endace support was helpful but in the end it was a more supportable  
direction to go with the Intel and Myricom cards.
Using NICs has proven to be very robust for us.  I have the cards that  
I'd originally sent the mail out about running on a FreeBSD 7.2 system  
watching pretty heavily loaded links and so far have not seen any  
issues.

nb

---
Nick Buraglio
Network Engineer, CITES, University of Illinois
GPG key 0x2E5B44F4
Phone: 217.244.6428
buraglio at illinois.edu



On May 27, 2009, at 11:21 PM, Aashish Sharma wrote:

> Hi Sean:
>
> Back in 2006 we got 4 Dag 6.2SE cards to monitor our 10G links.  
> During the time we were running firmware 2.5.7.5. on the cards. We  
> had real hard time keeping Bro running reliably in a sustained  
> manner using Dag cards.  We encountered a lot of issues - including  
> lack of drivers, lack of built in support for libpcap, crashing of  
> Bro repeatedly, heating up and crashing of system as well.
>
> In fact, Robin helped us quite a bit and even wrote drivers and  
> support for Dag in Bro.  Endace support was prompt too and they  
> provided us with a new modified firmware but not much changed.
>
> During all that time, For production Bro we relied on a pair of  
> Intel 10G cards while we resolve this issue with Dag cards (spent  
> considerable time trying to get this working),
>
> All in all, we had lot of issues running Dag capture cards reliably.  
> Eventually, we gave up and got Myricom 10G cards.  We have been  
> quite happy with Myricom cards and have not encountered any issues  
> since.
>
> Hope this helps,
>
> Aashish Sharma
> NCSA
>
>
> On Wed, May 27, 2009 at 02:54:39PM -0600, Sean McCreary wrote:
>> I'd be careful about purchasing 10G NICs for packet capture.  I  
>> have not
>> been able to configure a FreeBSD 6.3 system with a Myricom Myri-10G  
>> NIC
>> to reliably capture traffic on a lightly loaded link (~2Mb/s, ~240
>> kpps).  One option I'm interested in trying is the Endace DAG,
>> <http://www.endace.com/dag-network-monitoring-cards.html>.  Does  
>> anyone
>> have experience using these cards with bro?
>>
>> Nick Buraglio wrote:
>>> Good afternoon, list.  I'm hoping to get a quick opinion on some
>>> hardware.  I've done some brief looking and not really found what  
>>> I'm
>>> seeking so I'll post here in hopes that one of you can share some
>>> experience.
>>> I'm exploring deployment of some Bro boxes and was hoping to  
>>> leverage
>>> a great deal that Sun is offering to get the hardware.  I know that
>>> the boxes can do what I need them to do, as I've worked on Bro
>>> implementations elsewhere.  What I'd really like to know is if  
>>> anyone
>>> has used the Sun (Intel Chipset 82598) dual port 10g cards?   
>>> They're a
>>> decent savings of capitol, but I'd rather just spend the money to  
>>> get
>>> the cards I'm used to (single port 10g Intel or Myricom) if the dual
>>> port cards behave strangely or are a time-vortex to get working.
>>> I'm making an assumption that the dual port cards operate similar to
>>> the single port cards.  Has anyone used these in a bro deployment?
>>>
>>>
>>> Thanks,
>>> nb
>>> ---
>>> Nick Buraglio
>>> Network Engineer, CITES, University of Illinois
>>> GPG key 0x2E5B44F4
>>> Phone: 217.244.6428
>>> buraglio at illinois.edu
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list