[Bro] Hardware Experience

Jason Chambers jchambers at ucla.edu
Thu May 28 12:23:00 PDT 2009


The tech sheet says otherwise.  "Full-line-rate processing for all
frames from 64 bytes to 10.000 bytes".

http://www.napatech.com/uploads/c_file/21_file_6159.pdf

I cannot comment on our setup at the moment as hardware is pending.

--Jason


Jason Carr wrote:
> One thing I noticed with the NT20E is that the web site states that "20
> Gbps throughput @ 64 bytes".  I'm assuming that this means that the
> device only captures 64 bytes of the data section of a packet.  I also
> assume this is configurable.  For some things that's fine, but in most
> NIDS (such as Bro, snort, etc) you usually want the whole packet.
> 
> What are you using in terms of capture size and bandwidth, if you don't
> mind me asking?
> 
> - Jason
> 
> Jason Chambers wrote:
>> Martin Holste wrote:
>>> Your DAG experience is interesting.  We demoed the 6.2SE's and they
>>> seemed to run OK on libpcap apps for a few days in late 2006.  We've
>>> been running the smaller 1 Gb cousin, the 4.5G2, in production since
>>> then with zero stability problems with libpcap apps.  Link size is 1 Gb
>>> physical, 450 Mb/sec typical load.  In my experience though, the
>>> difference maker is rarely in getting the packets to the CPU, but rather
>>> in the CPU grepping through the packets fast enough.  I anticipate that
>>> the Bro cluster work will do more for full snaplength processing than
>>> hardware acceleration will unless someone writes Bro for Nvidia's CUDA
>>> like they wrote Snort for CUDA with Gnort.
>>>
>> I recommend these cards available from nPulse networks. [1] (Napatech is
>> the OEM).  They have more features than the Endace cards and twice the
>> port density.  And, they fully support FreeBSD.  Despite my numerous
>> requests it seems Endace maintains that there will not be future support
>> for FreeBSD due to lack of demand.  To the best of my knowledge, the
>> last official supported FreeBSD version from Endace is the 6.x train.
>> Anyhow that's my personal gripe.
>>
>>
>> [1] http://www.npulsenetworks.com/
>>
>> Napatech 2x10GE NT20E
>>
>> http://www.napatech.com/products/capture_adapters/2x10g_pcie_nt20e.html
>>
>>
>> And when it's available, the NTNPU20E looks like a very exciting
>> complement to the NT20E's.  It was displayed at Interop but is still a
>> few months out from release.
>>
>> http://www.napatech.com/products/inspect_adapters.html
>>
>>
>> HTH,
>>
>> --Jason
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
> 





More information about the Bro mailing list