[Bro] Hardware Experience

William L. Jones jones at tacc.utexas.edu
Tue Jun 30 10:22:38 PDT 2009 

TACC is using the Sun dual port cards. 

The system runs bro cluster with ip filters to break the traffic up into multiple ip quadrants this allow different cpu to work on each quadrant of ip space.   

My rule of thumb is that it takes 1 cpu to process 1 Giga/bit of data. 

Right now the system is a 4 cpu system to monitor two 10 GigE connection, it just a starter system.  I plan to upgraded it to two 8 cpu system each monitoring one   10 GigE connection later this year.

I don't know how far this configuration will scale. 

Bill Jones 



-----Original Message-----
From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Nick Buraglio
Sent: Monday, June 29, 2009 4:22 PM
To: bro at bro-ids.org
Subject: Re: [Bro] Hardware Experience

I actually did quite a bit of the work with Aashish on the Dag and  
Myricom cards (I was the one that gave them to him back when I still  
worked at NCSA), and like he said we had lots of issues with them.   
Endace support was helpful but in the end it was a more supportable  
direction to go with the Intel and Myricom cards.
Using NICs has proven to be very robust for us.  I have the cards that  
I'd originally sent the mail out about running on a FreeBSD 7.2 system  
watching pretty heavily loaded links and so far have not seen any  
issues.

nb

---
Nick Buraglio
Network Engineer, CITES, University of Illinois
GPG key 0x2E5B44F4
Phone: 217.244.6428
buraglio at illinois.edu



On May 27, 2009, at 11:21 PM, Aashish Sharma wrote:

> Hi Sean:
>
> Back in 2006 we got 4 Dag 6.2SE cards to monitor our 10G links.  
> During the time we were running firmware 2.5.7.5. on the cards. We  
> had real hard time keeping Bro running reliably in a sustained  
> manner using Dag cards.  We encountered a lot of issues - including  
> lack of drivers, lack of built in support for libpcap, crashing of  
> Bro repeatedly, heating up and crashing of system as well.
>
> In fact, Robin helped us quite a bit and even wrote drivers and  
> support for Dag in Bro.  Endace support was prompt too and they  
> provided us with a new modified firmware but not much changed.
>
> During all that time, For production Bro we relied on a pair of  
> Intel 10G cards while we resolve this issue with Dag cards (spent  
> considerable time trying to get this working),
>
> All in all, we had lot of issues running Dag capture cards reliably.  
> Eventually, we gave up and got Myricom 10G cards.  We have been  
> quite happy with Myricom cards and have not encountered any issues  
> since.
>
> Hope this helps,
>
> Aashish Sharma
> NCSA
>
>
> On Wed, May 27, 2009 at 02:54:39PM -0600, Sean McCreary wrote:
>> I'd be careful about purchasing 10G NICs for packet capture.  I  
>> have not
>> been able to configure a FreeBSD 6.3 system with a Myricom Myri-10G  
>> NIC
>> to reliably capture traffic on a lightly loaded link (~2Mb/s, ~240
>> kpps).  One option I'm interested in trying is the Endace DAG,
>> <http://www.endace.com/dag-network-monitoring-cards.html>.  Does  
>> anyone
>> have experience using these cards with bro?
>>
>> Nick Buraglio wrote:
>>> Good afternoon, list.  I'm hoping to get a quick opinion on some
>>> hardware.  I've done some brief looking and not really found what  
>>> I'm
>>> seeking so I'll post here in hopes that one of you can share some
>>> experience.
>>> I'm exploring deployment of some Bro boxes and was hoping to  
>>> leverage
>>> a great deal that Sun is offering to get the hardware.  I know that
>>> the boxes can do what I need them to do, as I've worked on Bro
>>> implementations elsewhere.  What I'd really like to know is if  
>>> anyone
>>> has used the Sun (Intel Chipset 82598) dual port 10g cards?   
>>> They're a
>>> decent savings of capitol, but I'd rather just spend the money to  
>>> get
>>> the cards I'm used to (single port 10g Intel or Myricom) if the dual
>>> port cards behave strangely or are a time-vortex to get working.
>>> I'm making an assumption that the dual port cards operate similar to
>>> the single port cards.  Has anyone used these in a bro deployment?
>>>
>>>
>>> Thanks,
>>> nb
>>> ---
>>> Nick Buraglio
>>> Network Engineer, CITES, University of Illinois
>>> GPG key 0x2E5B44F4
>>> Phone: 217.244.6428
>>> buraglio at illinois.edu
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list