[Bro] Myricom and Bro... show of hands for successful deployments on 10G links (with > 5Gpbs)

Harry Hoffman hhoffman at ip-solutions.net
Fri Aug 22 13:31:08 PDT 2014 

Thanks, Kyle!

Very informative article. I’m installing numactl now and will test.

I do note that they say they are doing close to line rate with a Dell R710 so that’s promising :-)

Cheers,
Harry


On Aug 22, 2014, at 3:09 PM, Kyle Creyts <kyle.creyts at gmail.com> wrote:

> check your memory bandwidth:
> http://www.ntop.org/pf_ring/not-all-servers-are-alike-with-dna/
> 
> On Fri, Aug 22, 2014 at 11:44 AM, Vlad Grigorescu <vlad at grigorescu.org> wrote:
>> Hi Harry,
>> 
>> Can you expand on "allowing both capture and writing to disk?" Carnegie
>> Mellon runs a Bro cluster with Myricom NICS, which works well. However, the
>> manager is on a box that doesn't have any workers on it (and thus doesn't
>> receive any traffic), so I haven't had any I/O contention from network
>> traffic and log writing. Is that what you're referring to?
>> 
>> We're seeing about 16 Gbps and dropping < 1% (around 0.1% most of the time,
>> I believe). That's split up over 4 rather beefy boxes, though.
>> 
>>  --Vlad
>> 
>> 
>> On Thu, Aug 21, 2014 at 10:26 AM, Harry Hoffman <hhoffman at ip-solutions.net>
>> wrote:
>>> 
>>> Hi All,
>>> 
>>> So, I’m writing to hopefully get a show of hands from those of your out
>>> there who’ve employed Myricom cards to capture packets on your 10G links.
>>> 
>>> I’ll start by saying that while the myricom cards we have in place do a
>>> fine job of capturing I’ve been unable to find the secret sauce that allows
>>> both capture and writing to disk in a way that doesn’t drop significant
>>> amounts of packets using either bro, tcpdump, snort, suricata.
>>> 
>>> For those of you out there using myricom cards in conjunction with your
>>> favorite tools (bro of course ;-)  ) can you let me know what data rate your
>>> Myricom cards are seeing and what (assuming some) percentage of packets you
>>> are dropping?
>>> 
>>> If you aren’t dropping anything I’d love to know more about your setup!
>>> :-)
>>> 
>>> Cheers,
>>> Harry
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> 
> -- 
> Kyle Creyts
> 
> Information Assurance Professional
> Founder BSidesDetroit

More information about the Bro mailing list