[Bro] A more parallel Bro
Robin Sommer
robin at icir.org
Tue Mar 3 14:47:59 PST 2009
On Mon, Mar 02, 2009 at 11:41 -0600, William L. Jones wrote:
> It is possible to take advantage of muti cpu system with the current
> bro. I am running 4 cpu test system now that runs 4 bro instances
> on 10GigE interface using a modification of the odd/even filter that
> was suggest on bro wiki in the User Manual: Performance Tuning
> section.
That's indeed a solution too, and in fact the cluster shell supports
such a setup out of the box: if you configure it to install multiple
backends on a single host, it will set things up accordingly (except
for your custom BPF filter which one would still need to configure
manually.).
I don't have much experience with such a setup though. One thing I'd
like to know is how the capture performance is when running multiple
Bros. Is it a problem to have multiple, high-load packet capturing
processes running at the same time, or is the kernel able to handle
that just fine?
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list