[Bro] Use PFRING_ZC for Bro

DJ Root dj.root at netronome.com
Thu Feb 5 11:30:31 PST 2015 

Clement,

We have Bro running on a 2 unit stack (4RU total) and see 17-18G of Bro steady state, peak 40-45G with few packet drops (~2%).  To achieve this, we have 32 worker threads on each 2U appliance; of the remaining cores, 4 are for NIC management and the other 12 can be used for other applications.  Bro is not modified at all. 

If you (or anyone else) would like to discuss further, please feel free to send me a private email.

Regards,
DJ Root

> On Jan 27, 2015, at 4:42 PM, Clement Chen <plutochen2010 at gmail.com> wrote:
> 
> I was seeing 60% packet loss rate. After some aggressive BPF filtering, it went down to about 15%-20%.
> 
> Are you using a big box? Mine is 24 core CPU with 64GB mem. There is an email thread about Bro with 10G card and many people also see pretty significant packet loss.
> 
> It would be great if you can share your configs and also your traffic throughput.
> 
> Thanks.
> 
> -Clement
> 
> On Tue, Jan 27, 2015 at 1:35 PM, Greg Williams <gwillia5 at uccs.edu <mailto:gwillia5 at uccs.edu>> wrote:
> Why do you want to use it?  I’m using security onion with Bro and 2x2 Intel x520 10Gb cards and have no packet loss with the base SO configuration. <>
>  
> 
> Greg Williams, M.E., ISA, GPEN, GCFE
> 
> Director of Networks and Infrastructure
> Interim IT Security Manager/Information Security Officer/HIPAA Security Officer
> University of Colorado Colorado Springs - Department of Information Technology
> Phone: 719-255-3211 <tel:719-255-3211>
>  
> 
> From: bro-bounces at bro.org <mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org <mailto:bro-bounces at bro.org>] On Behalf Of Clement Chen
> Sent: Tuesday, January 27, 2015 2:22 PM
> To: bro at bro.org <mailto:bro at bro.org>
> Subject: [Bro] Use PFRING_ZC for Bro
> 
>  
> 
> Hi all,
> 
>  
> 
> I am trying to use PFRING_ZC for Bro in my security onion box. I got the license from ntop but there was little document on how to enable this.
> 
>  
> 
> Would appreciate any help/pointer to docs. I will compile a step-by-step instructions if I get this working.
> 
>  
> 
> I have the Intel 82599EB 10G card and the ixgbe-zc driver installed.
> 
>  
> 
> #dkms status
> 
> ixgbe-zc, 3.22.3, 3.13.0-44-generic, x86_64: installed
> 
> pf_ring, 6, 3.13.0-35-generic, x86_64: installed
> 
> pf_ring, 6, 3.13.0-44-generic, x86_64: installed (WARNING! Diff between built and installed module!)
> 
> pfring, 6.0.3, 3.13.0-44-generic, x86_64: installed
> 
>  
> 
> not sure what to do next and how to enable it for Bro.
> 
>  
> 
> Thanks.
> 
>  
> 
> -Clement
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150205/b3395719/attachment-0001.html

More information about the Bro mailing list