[Bro] Myricom and Bro... show of hands for successful deployments on 10G links (with > 5Gpbs)
Vlad Grigorescu
vlad at grigorescu.org
Fri Aug 22 11:44:53 PDT 2014
Hi Harry,
Can you expand on "allowing both capture and writing to disk?" Carnegie
Mellon runs a Bro cluster with Myricom NICS, which works well. However, the
manager is on a box that doesn't have any workers on it (and thus doesn't
receive any traffic), so I haven't had any I/O contention from network
traffic and log writing. Is that what you're referring to?
We're seeing about 16 Gbps and dropping < 1% (around 0.1% most of the time,
I believe). That's split up over 4 rather beefy boxes, though.
--Vlad
On Thu, Aug 21, 2014 at 10:26 AM, Harry Hoffman <hhoffman at ip-solutions.net>
wrote:
> Hi All,
>
> So, I’m writing to hopefully get a show of hands from those of your out
> there who’ve employed Myricom cards to capture packets on your 10G links.
>
> I’ll start by saying that while the myricom cards we have in place do a
> fine job of capturing I’ve been unable to find the secret sauce that allows
> both capture and writing to disk in a way that doesn’t drop significant
> amounts of packets using either bro, tcpdump, snort, suricata.
>
> For those of you out there using myricom cards in conjunction with your
> favorite tools (bro of course ;-) ) can you let me know what data rate
> your Myricom cards are seeing and what (assuming some) percentage of
> packets you are dropping?
>
> If you aren’t dropping anything I’d love to know more about your setup! :-)
>
> Cheers,
> Harry
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140822/da514f62/attachment.html
More information about the Bro
mailing list