[Bro] BRO performance in a real world

Seth Hall seth at icir.org
Mon Apr 22 12:23:36 PDT 2013


On Apr 22, 2013, at 3:07 PM, Michal Purzynski <michal at rsbac.org> wrote:

> I know that's a lot of questions, but trying to establish a baseline and 
> do some capacity planning here :) And there's nothing in google, apart 
> from some (i guess old) statement, that a single bro process can handle 
> up to 80Mbit/sec.

Yeah, I begrudgingly wrote that because the question came up so frequently.  It was based on old estimates and doesn't seem to be as relevant anymore.  I know of sites doing everything from 100Mbps/core to >500Mbps/core, it depends heavily on the clock rate of the CPU and how you are capturing packets.

In the case of the site with >500Mbps/core, they are using an Endace DAG card and skipping the OS nearly completely to acquire packets and their per-core clock rate is 3.7Ghz I believe.  

With 2GHz cores, you likely won't hit that speed, but it will almost certainly be faster than that horribly documented 80Mbps. :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list