[Bro] BRO performance in a real world
Seth Hall
seth at icir.org
Mon Apr 22 12:23:36 PDT 2013
On Apr 22, 2013, at 3:07 PM, Michal Purzynski <michal at rsbac.org> wrote:
> I know that's a lot of questions, but trying to establish a baseline and
> do some capacity planning here :) And there's nothing in google, apart
> from some (i guess old) statement, that a single bro process can handle
> up to 80Mbit/sec.
Yeah, I begrudgingly wrote that because the question came up so frequently. It was based on old estimates and doesn't seem to be as relevant anymore. I know of sites doing everything from 100Mbps/core to >500Mbps/core, it depends heavily on the clock rate of the CPU and how you are capturing packets.
In the case of the site with >500Mbps/core, they are using an Endace DAG card and skipping the OS nearly completely to acquire packets and their per-core clock rate is 3.7Ghz I believe.
With 2GHz cores, you likely won't hit that speed, but it will almost certainly be faster than that horribly documented 80Mbps. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list