From robin at icir.org Fri May 1 13:54:43 2009 From: robin at icir.org (Robin Sommer) Date: Fri, 1 May 2009 13:54:43 -0700 Subject: [Bro] Cluster wishlist? Message-ID: <20090501205443.GC84614@icir.org> I'll be working on preparing the cluster shell (i.e., everything in aux/cluster in my work branch) for inclusion into Bro 1.5. The plan is to then also use the shell framework for standard, non-clusterized installations (replacing Bro Lite). For those who have already experimented with the cluster shell: if there is anything particular you'd like to see changed/added/fixed, please file a corresponding feature request (or problem report if it's a bug) with our tracker at http://tracker.icir.org.bro and set the component to "Cluster Shell". I can't promise to get to everything but I'd like to get an idea of what people find missing. Thanks! Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From buraglio at illinois.edu Mon May 4 11:48:09 2009 From: buraglio at illinois.edu (Nick Buraglio) Date: Mon, 4 May 2009 13:48:09 -0500 Subject: [Bro] Hardware Experience Message-ID: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good afternoon, list. I'm hoping to get a quick opinion on some hardware. I've done some brief looking and not really found what I'm seeking so I'll post here in hopes that one of you can share some experience. I'm exploring deployment of some Bro boxes and was hoping to leverage a great deal that Sun is offering to get the hardware. I know that the boxes can do what I need them to do, as I've worked on Bro implementations elsewhere. What I'd really like to know is if anyone has used the Sun (Intel Chipset 82598) dual port 10g cards? They're a decent savings of capitol, but I'd rather just spend the money to get the cards I'm used to (single port 10g Intel or Myricom) if the dual port cards behave strangely or are a time-vortex to get working. I'm making an assumption that the dual port cards operate similar to the single port cards. Has anyone used these in a bro deployment? Thanks, nb - --- Nick Buraglio Network Engineer, CITES, University of Illinois GPG key 0x2E5B44F4 Phone: 217.244.6428 buraglio at illinois.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkn/OGkACgkQFOm2Sy5bRPRR1gCeKRIAGYMLVoygM/MnQiXJL4+u gpUAmQFpLOx+OxVXRZR3b11hkn+nwZ1k =rx7J -----END PGP SIGNATURE----- From jebrahimi at bivio.net Mon May 4 14:02:22 2009 From: jebrahimi at bivio.net (Joel Ebrahimi) Date: Mon, 4 May 2009 14:02:22 -0700 Subject: [Bro] Hardware Experience In-Reply-To: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> References: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> Message-ID: Hi Nick, Another hardware option is the Bivio platform (http://www.bivio.net). First I should make a disclaimer that I work for the company. We offer a hardware platform that is designed for DPI applications like Bro. The system is really a networking platform and much different than off the shelf hardware you would get from Sun. The Bivio system is designed to deal with traffic at 10Gb/s (or more with scaling) and comes with configurable interfaces that range from 1 G copper to 10 G fiber. The Bivio system is PowerPC Linux based so it is fairly trivial to port Bro or any pcap based application to our platform. I have ported it in the past and built RPMs, and I'm currently looking forward to the cluster release of Bro in the 1.5 version as it is an extremely good fit for the distributed architecture design of our hardware. I would highly recommend taking a looking if your goal is to not only use 10G interfaces, but to be able to deal with that 10G of traffic. Cheers, // Joel Joel Ebrahimi Solutions Engineer Bivio Networks Inc. http://www.bivio.net -----Original Message----- From: bro-bounces at ICSI.Berkeley.EDU [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Nick Buraglio Sent: Monday, May 04, 2009 11:48 AM To: bro at bro-ids.org Subject: [Bro] Hardware Experience -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good afternoon, list. I'm hoping to get a quick opinion on some hardware. I've done some brief looking and not really found what I'm seeking so I'll post here in hopes that one of you can share some experience. I'm exploring deployment of some Bro boxes and was hoping to leverage a great deal that Sun is offering to get the hardware. I know that the boxes can do what I need them to do, as I've worked on Bro implementations elsewhere. What I'd really like to know is if anyone has used the Sun (Intel Chipset 82598) dual port 10g cards? They're a decent savings of capitol, but I'd rather just spend the money to get the cards I'm used to (single port 10g Intel or Myricom) if the dual port cards behave strangely or are a time-vortex to get working. I'm making an assumption that the dual port cards operate similar to the single port cards. Has anyone used these in a bro deployment? Thanks, nb - --- Nick Buraglio Network Engineer, CITES, University of Illinois GPG key 0x2E5B44F4 Phone: 217.244.6428 buraglio at illinois.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkn/OGkACgkQFOm2Sy5bRPRR1gCeKRIAGYMLVoygM/MnQiXJL4+u gpUAmQFpLOx+OxVXRZR3b11hkn+nwZ1k =rx7J -----END PGP SIGNATURE----- _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From mccreary at ucar.edu Wed May 6 11:36:02 2009 From: mccreary at ucar.edu (Sean McCreary) Date: Wed, 06 May 2009 12:36:02 -0600 Subject: [Bro] SSL_SessConIncon Message-ID: <4A01D892.6080504@ucar.edu> Since upgrading to Robin's latest cluster policy scripts I'm seeing a lot of alarms for SSL_SessConIncon notices. ssl.bro raises this notice when a current SSL connection does not match either the version or cipher of a previous matching connection, and bro has inferred that the SSL connection was cached and reused. Is this a known bug in ssl.bro? FWIW, it only happens with one very busy server on our network, and for both simap and https connections. I can gather more information if we need to debug the problem. From robin at icir.org Thu May 7 13:47:43 2009 From: robin at icir.org (Robin Sommer) Date: Thu, 7 May 2009 13:47:43 -0700 Subject: [Bro] SSL_SessConIncon In-Reply-To: <4A01D892.6080504@ucar.edu> References: <4A01D892.6080504@ucar.edu> Message-ID: <20090507204743.GF86957@icir.org> On Wed, May 06, 2009 at 12:36 -0600, you wrote: > when a current SSL connection does not match either the version or > cipher of a previous matching connection, and bro has inferred that the > SSL connection was cached and reused. Is this a known bug in ssl.bro? I don't think I have heard about this one. Could you file a ticket with out tracker, if possible with attaching a trace of one connection triggering such an alarm? Thanks. Robin -- Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From buraglio at illinois.edu Tue May 12 14:34:40 2009 From: buraglio at illinois.edu (Nick Buraglio) Date: Tue, 12 May 2009 16:34:40 -0500 Subject: [Bro] Hardware Experience In-Reply-To: References: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> Message-ID: <55348820-DCA2-4BD2-B8D7-95E17DF4132C@illinois.edu> Thanks for the info. nb --- Nick Buraglio Network Engineer, CITES, University of Illinois GPG key 0x2E5B44F4 Phone: 217.244.6428 buraglio at illinois.edu On May 4, 2009, at 4:02 PM, Joel Ebrahimi wrote: > Hi Nick, > > Another hardware option is the Bivio platform (http://www.bivio.net). > First I should make a disclaimer that I work for the company. > > We offer a hardware platform that is designed for DPI applications > like > Bro. The system is really a networking platform and much different > than > off the shelf hardware you would get from Sun. The Bivio system is > designed to deal with traffic at 10Gb/s (or more with scaling) and > comes > with configurable interfaces that range from 1 G copper to 10 G fiber. > > The Bivio system is PowerPC Linux based so it is fairly trivial to > port > Bro or any pcap based application to our platform. I have ported it in > the past and built RPMs, and I'm currently looking forward to the > cluster release of Bro in the 1.5 version as it is an extremely good > fit > for the distributed architecture design of our hardware. > > I would highly recommend taking a looking if your goal is to not only > use 10G interfaces, but to be able to deal with that 10G of traffic. > > Cheers, > > // Joel > > Joel Ebrahimi > Solutions Engineer > Bivio Networks Inc. > http://www.bivio.net > > > > -----Original Message----- > From: bro-bounces at ICSI.Berkeley.EDU > [mailto:bro-bounces at ICSI.Berkeley.EDU] On Behalf Of Nick Buraglio > Sent: Monday, May 04, 2009 11:48 AM > To: bro at bro-ids.org > Subject: [Bro] Hardware Experience > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Good afternoon, list. I'm hoping to get a quick opinion on some > hardware. I've done some brief looking and not really found what I'm > seeking so I'll post here in hopes that one of you can share some > experience. > I'm exploring deployment of some Bro boxes and was hoping to leverage > a great deal that Sun is offering to get the hardware. I know that > the boxes can do what I need them to do, as I've worked on Bro > implementations elsewhere. What I'd really like to know is if anyone > has used the Sun (Intel Chipset 82598) dual port 10g cards? They're a > decent savings of capitol, but I'd rather just spend the money to get > the cards I'm used to (single port 10g Intel or Myricom) if the dual > port cards behave strangely or are a time-vortex to get working. > I'm making an assumption that the dual port cards operate similar to > the single port cards. Has anyone used these in a bro deployment? > > > Thanks, > nb > - --- > Nick Buraglio > Network Engineer, CITES, University of Illinois > GPG key 0x2E5B44F4 > Phone: 217.244.6428 > buraglio at illinois.edu > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) > > iEYEARECAAYFAkn/OGkACgkQFOm2Sy5bRPRR1gCeKRIAGYMLVoygM/MnQiXJL4+u > gpUAmQFpLOx+OxVXRZR3b11hkn+nwZ1k > =rx7J > -----END PGP SIGNATURE----- > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From mccreary at ucar.edu Wed May 27 13:54:39 2009 From: mccreary at ucar.edu (Sean McCreary) Date: Wed, 27 May 2009 14:54:39 -0600 Subject: [Bro] Hardware Experience In-Reply-To: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> References: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> Message-ID: <4A1DA88F.1060603@ucar.edu> I'd be careful about purchasing 10G NICs for packet capture. I have not been able to configure a FreeBSD 6.3 system with a Myricom Myri-10G NIC to reliably capture traffic on a lightly loaded link (~2Mb/s, ~240 kpps). One option I'm interested in trying is the Endace DAG, . Does anyone have experience using these cards with bro? Nick Buraglio wrote: > Good afternoon, list. I'm hoping to get a quick opinion on some > hardware. I've done some brief looking and not really found what I'm > seeking so I'll post here in hopes that one of you can share some > experience. > I'm exploring deployment of some Bro boxes and was hoping to leverage > a great deal that Sun is offering to get the hardware. I know that > the boxes can do what I need them to do, as I've worked on Bro > implementations elsewhere. What I'd really like to know is if anyone > has used the Sun (Intel Chipset 82598) dual port 10g cards? They're a > decent savings of capitol, but I'd rather just spend the money to get > the cards I'm used to (single port 10g Intel or Myricom) if the dual > port cards behave strangely or are a time-vortex to get working. > I'm making an assumption that the dual port cards operate similar to > the single port cards. Has anyone used these in a bro deployment? > > > Thanks, > nb > --- > Nick Buraglio > Network Engineer, CITES, University of Illinois > GPG key 0x2E5B44F4 > Phone: 217.244.6428 > buraglio at illinois.edu From aashish at uiuc.edu Wed May 27 21:21:00 2009 From: aashish at uiuc.edu (Aashish Sharma) Date: Wed, 27 May 2009 23:21:00 -0500 Subject: [Bro] Hardware Experience In-Reply-To: <4A1DA88F.1060603@ucar.edu> References: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> <4A1DA88F.1060603@ucar.edu> Message-ID: <20090528042100.GE12888@uiuc.edu> Hi Sean: Back in 2006 we got 4 Dag 6.2SE cards to monitor our 10G links. During the time we were running firmware 2.5.7.5. on the cards. We had real hard time keeping Bro running reliably in a sustained manner using Dag cards. We encountered a lot of issues - including lack of drivers, lack of built in support for libpcap, crashing of Bro repeatedly, heating up and crashing of system as well. In fact, Robin helped us quite a bit and even wrote drivers and support for Dag in Bro. Endace support was prompt too and they provided us with a new modified firmware but not much changed. During all that time, For production Bro we relied on a pair of Intel 10G cards while we resolve this issue with Dag cards (spent considerable time trying to get this working), All in all, we had lot of issues running Dag capture cards reliably. Eventually, we gave up and got Myricom 10G cards. We have been quite happy with Myricom cards and have not encountered any issues since. Hope this helps, Aashish Sharma NCSA On Wed, May 27, 2009 at 02:54:39PM -0600, Sean McCreary wrote: > I'd be careful about purchasing 10G NICs for packet capture. I have not > been able to configure a FreeBSD 6.3 system with a Myricom Myri-10G NIC > to reliably capture traffic on a lightly loaded link (~2Mb/s, ~240 > kpps). One option I'm interested in trying is the Endace DAG, > . Does anyone > have experience using these cards with bro? > > Nick Buraglio wrote: > > Good afternoon, list. I'm hoping to get a quick opinion on some > > hardware. I've done some brief looking and not really found what I'm > > seeking so I'll post here in hopes that one of you can share some > > experience. > > I'm exploring deployment of some Bro boxes and was hoping to leverage > > a great deal that Sun is offering to get the hardware. I know that > > the boxes can do what I need them to do, as I've worked on Bro > > implementations elsewhere. What I'd really like to know is if anyone > > has used the Sun (Intel Chipset 82598) dual port 10g cards? They're a > > decent savings of capitol, but I'd rather just spend the money to get > > the cards I'm used to (single port 10g Intel or Myricom) if the dual > > port cards behave strangely or are a time-vortex to get working. > > I'm making an assumption that the dual port cards operate similar to > > the single port cards. Has anyone used these in a bro deployment? > > > > > > Thanks, > > nb > > --- > > Nick Buraglio > > Network Engineer, CITES, University of Illinois > > GPG key 0x2E5B44F4 > > Phone: 217.244.6428 > > buraglio at illinois.edu > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro From mcholste at gmail.com Thu May 28 04:37:01 2009 From: mcholste at gmail.com (Martin Holste) Date: Thu, 28 May 2009 06:37:01 -0500 Subject: [Bro] Hardware Experience In-Reply-To: <20090528042100.GE12888@uiuc.edu> References: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> <4A1DA88F.1060603@ucar.edu> <20090528042100.GE12888@uiuc.edu> Message-ID: Your DAG experience is interesting. We demoed the 6.2SE's and they seemed to run OK on libpcap apps for a few days in late 2006. We've been running the smaller 1 Gb cousin, the 4.5G2, in production since then with zero stability problems with libpcap apps. Link size is 1 Gb physical, 450 Mb/sec typical load. In my experience though, the difference maker is rarely in getting the packets to the CPU, but rather in the CPU grepping through the packets fast enough. I anticipate that the Bro cluster work will do more for full snaplength processing than hardware acceleration will unless someone writes Bro for Nvidia's CUDA like they wrote Snort for CUDA with Gnort. --Martin On Wed, May 27, 2009 at 11:21 PM, Aashish Sharma wrote: > Hi Sean: > > Back in 2006 we got 4 Dag 6.2SE cards to monitor our 10G links. During the > time we were running firmware 2.5.7.5. on the cards. We had real hard time > keeping Bro running reliably in a sustained manner using Dag cards. We > encountered a lot of issues - including lack of drivers, lack of built in > support for libpcap, crashing of Bro repeatedly, heating up and crashing of > system as well. > > In fact, Robin helped us quite a bit and even wrote drivers and support for > Dag in Bro. Endace support was prompt too and they provided us with a new > modified firmware but not much changed. > > During all that time, For production Bro we relied on a pair of Intel 10G > cards while we resolve this issue with Dag cards (spent considerable time > trying to get this working), > > All in all, we had lot of issues running Dag capture cards reliably. > Eventually, we gave up and got Myricom 10G cards. We have been quite happy > with Myricom cards and have not encountered any issues since. > > Hope this helps, > > Aashish Sharma > NCSA > > > On Wed, May 27, 2009 at 02:54:39PM -0600, Sean McCreary wrote: > > I'd be careful about purchasing 10G NICs for packet capture. I have not > > been able to configure a FreeBSD 6.3 system with a Myricom Myri-10G NIC > > to reliably capture traffic on a lightly loaded link (~2Mb/s, ~240 > > kpps). One option I'm interested in trying is the Endace DAG, > > . Does anyone > > have experience using these cards with bro? > > > > Nick Buraglio wrote: > > > Good afternoon, list. I'm hoping to get a quick opinion on some > > > hardware. I've done some brief looking and not really found what I'm > > > seeking so I'll post here in hopes that one of you can share some > > > experience. > > > I'm exploring deployment of some Bro boxes and was hoping to leverage > > > a great deal that Sun is offering to get the hardware. I know that > > > the boxes can do what I need them to do, as I've worked on Bro > > > implementations elsewhere. What I'd really like to know is if anyone > > > has used the Sun (Intel Chipset 82598) dual port 10g cards? They're a > > > decent savings of capitol, but I'd rather just spend the money to get > > > the cards I'm used to (single port 10g Intel or Myricom) if the dual > > > port cards behave strangely or are a time-vortex to get working. > > > I'm making an assumption that the dual port cards operate similar to > > > the single port cards. Has anyone used these in a bro deployment? > > > > > > > > > Thanks, > > > nb > > > --- > > > Nick Buraglio > > > Network Engineer, CITES, University of Illinois > > > GPG key 0x2E5B44F4 > > > Phone: 217.244.6428 > > > buraglio at illinois.edu > > _______________________________________________ > > Bro mailing list > > bro at bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090528/61f63d76/attachment.html From jchambers at ucla.edu Thu May 28 11:00:30 2009 From: jchambers at ucla.edu (Jason Chambers) Date: Thu, 28 May 2009 11:00:30 -0700 Subject: [Bro] Hardware Experience In-Reply-To: References: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> <4A1DA88F.1060603@ucar.edu> <20090528042100.GE12888@uiuc.edu> Message-ID: <4A1ED13E.4080504@ucla.edu> Martin Holste wrote: > Your DAG experience is interesting. We demoed the 6.2SE's and they > seemed to run OK on libpcap apps for a few days in late 2006. We've > been running the smaller 1 Gb cousin, the 4.5G2, in production since > then with zero stability problems with libpcap apps. Link size is 1 Gb > physical, 450 Mb/sec typical load. In my experience though, the > difference maker is rarely in getting the packets to the CPU, but rather > in the CPU grepping through the packets fast enough. I anticipate that > the Bro cluster work will do more for full snaplength processing than > hardware acceleration will unless someone writes Bro for Nvidia's CUDA > like they wrote Snort for CUDA with Gnort. > I recommend these cards available from nPulse networks. [1] (Napatech is the OEM). They have more features than the Endace cards and twice the port density. And, they fully support FreeBSD. Despite my numerous requests it seems Endace maintains that there will not be future support for FreeBSD due to lack of demand. To the best of my knowledge, the last official supported FreeBSD version from Endace is the 6.x train. Anyhow that's my personal gripe. [1] http://www.npulsenetworks.com/ Napatech 2x10GE NT20E http://www.napatech.com/products/capture_adapters/2x10g_pcie_nt20e.html And when it's available, the NTNPU20E looks like a very exciting complement to the NT20E's. It was displayed at Interop but is still a few months out from release. http://www.napatech.com/products/inspect_adapters.html HTH, --Jason From jcarr at andrew.cmu.edu Thu May 28 11:13:04 2009 From: jcarr at andrew.cmu.edu (Jason Carr) Date: Thu, 28 May 2009 14:13:04 -0400 Subject: [Bro] Hardware Experience In-Reply-To: <4A1ED13E.4080504@ucla.edu> References: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> <4A1DA88F.1060603@ucar.edu> <20090528042100.GE12888@uiuc.edu> <4A1ED13E.4080504@ucla.edu> Message-ID: <4A1ED430.2020500@andrew.cmu.edu> One thing I noticed with the NT20E is that the web site states that "20 Gbps throughput @ 64 bytes". I'm assuming that this means that the device only captures 64 bytes of the data section of a packet. I also assume this is configurable. For some things that's fine, but in most NIDS (such as Bro, snort, etc) you usually want the whole packet. What are you using in terms of capture size and bandwidth, if you don't mind me asking? - Jason Jason Chambers wrote: > Martin Holste wrote: >> Your DAG experience is interesting. We demoed the 6.2SE's and they >> seemed to run OK on libpcap apps for a few days in late 2006. We've >> been running the smaller 1 Gb cousin, the 4.5G2, in production since >> then with zero stability problems with libpcap apps. Link size is 1 Gb >> physical, 450 Mb/sec typical load. In my experience though, the >> difference maker is rarely in getting the packets to the CPU, but rather >> in the CPU grepping through the packets fast enough. I anticipate that >> the Bro cluster work will do more for full snaplength processing than >> hardware acceleration will unless someone writes Bro for Nvidia's CUDA >> like they wrote Snort for CUDA with Gnort. >> > > I recommend these cards available from nPulse networks. [1] (Napatech is > the OEM). They have more features than the Endace cards and twice the > port density. And, they fully support FreeBSD. Despite my numerous > requests it seems Endace maintains that there will not be future support > for FreeBSD due to lack of demand. To the best of my knowledge, the > last official supported FreeBSD version from Endace is the 6.x train. > Anyhow that's my personal gripe. > > > [1] http://www.npulsenetworks.com/ > > Napatech 2x10GE NT20E > > http://www.napatech.com/products/capture_adapters/2x10g_pcie_nt20e.html > > > And when it's available, the NTNPU20E looks like a very exciting > complement to the NT20E's. It was displayed at Interop but is still a > few months out from release. > > http://www.napatech.com/products/inspect_adapters.html > > > HTH, > > --Jason > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > From jchambers at ucla.edu Thu May 28 12:23:00 2009 From: jchambers at ucla.edu (Jason Chambers) Date: Thu, 28 May 2009 12:23:00 -0700 Subject: [Bro] Hardware Experience In-Reply-To: <4A1ED430.2020500@andrew.cmu.edu> References: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> <4A1DA88F.1060603@ucar.edu> <20090528042100.GE12888@uiuc.edu> <4A1ED13E.4080504@ucla.edu> <4A1ED430.2020500@andrew.cmu.edu> Message-ID: <4A1EE494.2090602@ucla.edu> The tech sheet says otherwise. "Full-line-rate processing for all frames from 64 bytes to 10.000 bytes". http://www.napatech.com/uploads/c_file/21_file_6159.pdf I cannot comment on our setup at the moment as hardware is pending. --Jason Jason Carr wrote: > One thing I noticed with the NT20E is that the web site states that "20 > Gbps throughput @ 64 bytes". I'm assuming that this means that the > device only captures 64 bytes of the data section of a packet. I also > assume this is configurable. For some things that's fine, but in most > NIDS (such as Bro, snort, etc) you usually want the whole packet. > > What are you using in terms of capture size and bandwidth, if you don't > mind me asking? > > - Jason > > Jason Chambers wrote: >> Martin Holste wrote: >>> Your DAG experience is interesting. We demoed the 6.2SE's and they >>> seemed to run OK on libpcap apps for a few days in late 2006. We've >>> been running the smaller 1 Gb cousin, the 4.5G2, in production since >>> then with zero stability problems with libpcap apps. Link size is 1 Gb >>> physical, 450 Mb/sec typical load. In my experience though, the >>> difference maker is rarely in getting the packets to the CPU, but rather >>> in the CPU grepping through the packets fast enough. I anticipate that >>> the Bro cluster work will do more for full snaplength processing than >>> hardware acceleration will unless someone writes Bro for Nvidia's CUDA >>> like they wrote Snort for CUDA with Gnort. >>> >> I recommend these cards available from nPulse networks. [1] (Napatech is >> the OEM). They have more features than the Endace cards and twice the >> port density. And, they fully support FreeBSD. Despite my numerous >> requests it seems Endace maintains that there will not be future support >> for FreeBSD due to lack of demand. To the best of my knowledge, the >> last official supported FreeBSD version from Endace is the 6.x train. >> Anyhow that's my personal gripe. >> >> >> [1] http://www.npulsenetworks.com/ >> >> Napatech 2x10GE NT20E >> >> http://www.napatech.com/products/capture_adapters/2x10g_pcie_nt20e.html >> >> >> And when it's available, the NTNPU20E looks like a very exciting >> complement to the NT20E's. It was displayed at Interop but is still a >> few months out from release. >> >> http://www.napatech.com/products/inspect_adapters.html >> >> >> HTH, >> >> --Jason >> >> >> _______________________________________________ >> Bro mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >> > From jchambers at ucla.edu Thu May 28 13:25:46 2009 From: jchambers at ucla.edu (Jason Chambers) Date: Thu, 28 May 2009 13:25:46 -0700 Subject: [Bro] Hardware Experience In-Reply-To: <4A1EE494.2090602@ucla.edu> References: <8A6C3E52-76BD-46F5-B210-051D2D5392F4@illinois.edu> <4A1DA88F.1060603@ucar.edu> <20090528042100.GE12888@uiuc.edu> <4A1ED13E.4080504@ucla.edu> <4A1ED430.2020500@andrew.cmu.edu> <4A1EE494.2090602@ucla.edu> Message-ID: <4A1EF34A.5090807@ucla.edu> Sorry to reply to my own post. Maybe this link explains the details better. http://www.napatech.com/features/efficient_capture.html http://www.napatech.com/features/efficient_capture/full_line_rate_capture.html --Jason Jason Chambers wrote: > The tech sheet says otherwise. "Full-line-rate processing for all > frames from 64 bytes to 10.000 bytes". > > http://www.napatech.com/uploads/c_file/21_file_6159.pdf > > I cannot comment on our setup at the moment as hardware is pending. > > --Jason > > > Jason Carr wrote: >> One thing I noticed with the NT20E is that the web site states that "20 >> Gbps throughput @ 64 bytes". I'm assuming that this means that the >> device only captures 64 bytes of the data section of a packet. I also >> assume this is configurable. For some things that's fine, but in most >> NIDS (such as Bro, snort, etc) you usually want the whole packet. >> >> What are you using in terms of capture size and bandwidth, if you don't >> mind me asking? >> >> - Jason >> >> Jason Chambers wrote: >>> Martin Holste wrote: >>>> Your DAG experience is interesting. We demoed the 6.2SE's and they >>>> seemed to run OK on libpcap apps for a few days in late 2006. We've >>>> been running the smaller 1 Gb cousin, the 4.5G2, in production since >>>> then with zero stability problems with libpcap apps. Link size is 1 Gb >>>> physical, 450 Mb/sec typical load. In my experience though, the >>>> difference maker is rarely in getting the packets to the CPU, but rather >>>> in the CPU grepping through the packets fast enough. I anticipate that >>>> the Bro cluster work will do more for full snaplength processing than >>>> hardware acceleration will unless someone writes Bro for Nvidia's CUDA >>>> like they wrote Snort for CUDA with Gnort. >>>> >>> I recommend these cards available from nPulse networks. [1] (Napatech is >>> the OEM). They have more features than the Endace cards and twice the >>> port density. And, they fully support FreeBSD. Despite my numerous >>> requests it seems Endace maintains that there will not be future support >>> for FreeBSD due to lack of demand. To the best of my knowledge, the >>> last official supported FreeBSD version from Endace is the 6.x train. >>> Anyhow that's my personal gripe. >>> >>> >>> [1] http://www.npulsenetworks.com/ >>> >>> Napatech 2x10GE NT20E >>> >>> http://www.napatech.com/products/capture_adapters/2x10g_pcie_nt20e.html >>> >>> >>> And when it's available, the NTNPU20E looks like a very exciting >>> complement to the NT20E's. It was displayed at Interop but is still a >>> few months out from release. >>> >>> http://www.napatech.com/products/inspect_adapters.html >>> >>> >>> HTH, >>> >>> --Jason >>> >>> >>> _______________________________________________ >>> Bro mailing list >>> bro at bro-ids.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro >>> > > > _______________________________________________ > Bro mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > -- Jason Chambers UCLA jchambers at ucla.edu 310-206-5603