[Bro] [bro] package capture
Vern Paxson
vern at icir.org
Wed Oct 21 11:24:25 PDT 2009
Regarding whether a single Bro system can deal with a 300 Mbps link doesn't
have a simple answer. It will depend a great deal on your particular traffic
mix (what applications dominate) versus what analysis you wish to perform
(for example, are you aiming to analyze those dominant applications).
It will also depend on the particular hardware and operating system (packet
filter performance). All that said, my guess would be that if for example
you want to your analysis to include HTTP responses, and if HTTP makes up
a lot of your connections, then you may have problems doing so with a
single system.
Vern
More information about the Bro
mailing list