[Bro] 10g Nic Cards

[Vlad Grigorescu]

On May 6, 2013, at 5:35 PM, "Slagell, Adam J" <slagell at illinois.edu> wrote:

> But you need to pay for the sniffing driver to really make use of them.

This is actually the same for Intel NICs as well. If you go the Intel route, you'll probably want a similar license for ntop's PF_RING + DNA driver and the price comes out to be just about the same as Myricom[1]. You can opt to not get this license, but performance will suffer. Research and educational networks used to get an exemption from ntop license fees, however this is no longer the case for PF_RING + DNA since development was subsidized by Silicom. If you get a dual-port NIC, the difference becomes even more exaggerated, as the ntop license is $261 *per port* as opposed to the $295 *per card* Myricom license.

Other advantages of the Myricom cards is that they're easier to work with and a bit faster. The Myricom sniffer driver doesn't require special privileges to sniff traffic, so you don't have to do funky setcap stuff - it "just works," even if you don't run Bro as root. From a simple test that someone at a large university ran, pitting a Myricom card with the Myricom sniffer driver against an Intel card with the top-of-the-line ntop driver (PF_RING + DNA + libzero - a $500 license), the Myricom card was better performing.

Hope that provides some insight into why we went with Myricom, at least.

  --Vlad Grigorescu
    Senior Information Security Engineer
    Carnegie Mellon University

[1] - Using CDW prices, Myricom + 10G short-range optics + license is $864.98, while Intel x540 + 10G short-range optics + license is $850.98.