[Bro] Hardware Experience

Jason Chambers jchambers at ucla.edu
Thu May 28 13:25:46 PDT 2009 

Sorry to reply to my own post.  Maybe this link explains the details better.

http://www.napatech.com/features/efficient_capture.html
http://www.napatech.com/features/efficient_capture/full_line_rate_capture.html

--Jason


Jason Chambers wrote:
> The tech sheet says otherwise.  "Full-line-rate processing for all
> frames from 64 bytes to 10.000 bytes".
> 
> http://www.napatech.com/uploads/c_file/21_file_6159.pdf
> 
> I cannot comment on our setup at the moment as hardware is pending.
> 
> --Jason
> 
> 
> Jason Carr wrote:
>> One thing I noticed with the NT20E is that the web site states that "20
>> Gbps throughput @ 64 bytes".  I'm assuming that this means that the
>> device only captures 64 bytes of the data section of a packet.  I also
>> assume this is configurable.  For some things that's fine, but in most
>> NIDS (such as Bro, snort, etc) you usually want the whole packet.
>>
>> What are you using in terms of capture size and bandwidth, if you don't
>> mind me asking?
>>
>> - Jason
>>
>> Jason Chambers wrote:
>>> Martin Holste wrote:
>>>> Your DAG experience is interesting.  We demoed the 6.2SE's and they
>>>> seemed to run OK on libpcap apps for a few days in late 2006.  We've
>>>> been running the smaller 1 Gb cousin, the 4.5G2, in production since
>>>> then with zero stability problems with libpcap apps.  Link size is 1 Gb
>>>> physical, 450 Mb/sec typical load.  In my experience though, the
>>>> difference maker is rarely in getting the packets to the CPU, but rather
>>>> in the CPU grepping through the packets fast enough.  I anticipate that
>>>> the Bro cluster work will do more for full snaplength processing than
>>>> hardware acceleration will unless someone writes Bro for Nvidia's CUDA
>>>> like they wrote Snort for CUDA with Gnort.
>>>>
>>> I recommend these cards available from nPulse networks. [1] (Napatech is
>>> the OEM).  They have more features than the Endace cards and twice the
>>> port density.  And, they fully support FreeBSD.  Despite my numerous
>>> requests it seems Endace maintains that there will not be future support
>>> for FreeBSD due to lack of demand.  To the best of my knowledge, the
>>> last official supported FreeBSD version from Endace is the 6.x train.
>>> Anyhow that's my personal gripe.
>>>
>>>
>>> [1] http://www.npulsenetworks.com/
>>>
>>> Napatech 2x10GE NT20E
>>>
>>> http://www.napatech.com/products/capture_adapters/2x10g_pcie_nt20e.html
>>>
>>>
>>> And when it's available, the NTNPU20E looks like a very exciting
>>> complement to the NT20E's.  It was displayed at Interop but is still a
>>> few months out from release.
>>>
>>> http://www.napatech.com/products/inspect_adapters.html
>>>
>>>
>>> HTH,
>>>
>>> --Jason
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 


-- 

Jason Chambers
UCLA
jchambers at ucla.edu
310-206-5603

More information about the Bro mailing list