[Bro] BRO performance in a real world

William Jones jones at tacc.utexas.edu
Mon Apr 22 13:24:07 PDT 2013 

What sort of packet rate can you handle per worker?  

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay
Sent: Monday, April 22, 2013 2:29 PM
To: bro at bro.org
Subject: Re: [Bro] BRO performance in a real world

On 2013-04-22 13:14, Bernhard Amann wrote:
> On Apr 22, 2013, at 12:07 PM, Michal Purzynski <michal at rsbac.org>
> wrote:
>
>> How's the BRO real world performance? You know, 10Gbit links and up. 
>> How
>> many workers do I need for every 1Gbit of traffic (sure, it depends 
>> on the rules heavily)?
> […]
>>
>> Do you have some real world examples, such as "we have server with 
>> <CPU>
>> and <mem> and it handles Gbit/sec of traffic on average/peak"
>
> There was a thread about exactly this on here just a few weeks ago -
> to cite a
> bit from it:
>
> On Mar 19, 2013, at 11:20 AM, Mike Patterson
> <mike.patterson at uwaterloo.ca> wrote:
> […]
>> I keep meaning to write this up, but on *my* configuration:
>> * 16 cores of model name	: Intel(R) Xeon(R) CPU           X5677  @ 
>> 3.47GHz
>> * 72GB of RAM
>> * Endace DAG (9.2)
>> * some config magic by Seth, which I'd be happy to share.
>>
>> 6 workers keep up with ~2.5-3Gbps peaks, no problem.
>
> […]
>> It doesn't actually consume all of the above resources - I'm running 
>> other things on the box too - but bro itself consumes ~4.5GB resident 
>> per worker, and can be counted on to pin most of its allocated cores 
>> at peak loads.
>
>
> On Mar 19, 2013, at 11:35 AM, Vlad Grigorescu <vladg at cmu.edu> wrote:
>> Just to throw another data point out there:
>> * 16 physical cores of model name	: Intel(R) Xeon(R) CPU E5-2680 @ 
>> 2.70 GHz
>> * 96GB of RAM
>> * Myricom NIC
>>
>> 28 workers (I have Hyperthreading turned on) keep up with a 6-7 Gbps 
>> average, and I've seen them do fine with short peaks of 9 Gbps or so. 
>> The Myricom cards definitely won't break the bank: card + SR optics + 
>> perpetual license is $895.
> […]
>
> Full thread at:
> http://mailman.icsi.berkeley.edu/pipermail/bro/2013-March/006242.html
>
> I hope that helps,
>  Bernhard

Also try running just bro command line instead of using broctl in your 
tests.

James

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list