[Bro] Hardware Experience

Thu May 28 04:37:01 PDT 2009

Your DAG experience is interesting.  We demoed the 6.2SE's and they seemed
to run OK on libpcap apps for a few days in late 2006.  We've been running
the smaller 1 Gb cousin, the 4.5G2, in production since then with zero
stability problems with libpcap apps.  Link size is 1 Gb physical, 450
Mb/sec typical load.  In my experience though, the difference maker is
rarely in getting the packets to the CPU, but rather in the CPU grepping
through the packets fast enough.  I anticipate that the Bro cluster work
will do more for full snaplength processing than hardware acceleration will
unless someone writes Bro for Nvidia's CUDA like they wrote Snort for CUDA
with Gnort.

--Martin

On Wed, May 27, 2009 at 11:21 PM, Aashish Sharma <aashish at uiuc.edu> wrote:

> Hi Sean:
>
> Back in 2006 we got 4 Dag 6.2SE cards to monitor our 10G links. During the
> time we were running firmware 2.5.7.5. on the cards. We had real hard time
> keeping Bro running reliably in a sustained manner using Dag cards.  We
> encountered a lot of issues - including lack of drivers, lack of built in
> support for libpcap, crashing of Bro repeatedly, heating up and crashing of
> system as well.
>
> In fact, Robin helped us quite a bit and even wrote drivers and support for
> Dag in Bro.  Endace support was prompt too and they provided us with a new
> modified firmware but not much changed.
>
> During all that time, For production Bro we relied on a pair of Intel 10G
> cards while we resolve this issue with Dag cards (spent considerable time
> trying to get this working),
>
> All in all, we had lot of issues running Dag capture cards reliably.
> Eventually, we gave up and got Myricom 10G cards.  We have been quite happy
> with Myricom cards and have not encountered any issues since.
>
> Hope this helps,
>
> Aashish Sharma
> NCSA
>
>
> On Wed, May 27, 2009 at 02:54:39PM -0600, Sean McCreary wrote:
> > I'd be careful about purchasing 10G NICs for packet capture.  I have not
> > been able to configure a FreeBSD 6.3 system with a Myricom Myri-10G NIC
> > to reliably capture traffic on a lightly loaded link (~2Mb/s, ~240
> > kpps).  One option I'm interested in trying is the Endace DAG,
> > <http://www.endace.com/dag-network-monitoring-cards.html>.  Does anyone
> > have experience using these cards with bro?
> >
> > Nick Buraglio wrote:
> > > Good afternoon, list.  I'm hoping to get a quick opinion on some
> > > hardware.  I've done some brief looking and not really found what I'm
> > > seeking so I'll post here in hopes that one of you can share some
> > > experience.
> > > I'm exploring deployment of some Bro boxes and was hoping to leverage
> > > a great deal that Sun is offering to get the hardware.  I know that
> > > the boxes can do what I need them to do, as I've worked on Bro
> > > implementations elsewhere.  What I'd really like to know is if anyone
> > > has used the Sun (Intel Chipset 82598) dual port 10g cards?  They're a
> > > decent savings of capitol, but I'd rather just spend the money to get
> > > the cards I'm used to (single port 10g Intel or Myricom) if the dual
> > > port cards behave strangely or are a time-vortex to get working.
> > > I'm making an assumption that the dual port cards operate similar to
> > > the single port cards.  Has anyone used these in a bro deployment?
> > >
> > >
> > > Thanks,
> > > nb
> > > ---
> > > Nick Buraglio
> > > Network Engineer, CITES, University of Illinois
> > > GPG key 0x2E5B44F4
> > > Phone: 217.244.6428
> > > buraglio at illinois.edu
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090528/61f63d76/attachment.html 