[Bro] Bro with 10Gb NIC's or higher
Mike Patterson
mike.patterson at uwaterloo.ca
Thu Jan 8 08:32:12 PST 2015
capture_loss log, not enabled by default.
--
The most difficult thing in the world is to know how to do a thing and
to watch someone else doing it wrong, without commenting. - T.H. White
> On Jan 8, 2015, at 11:31 AM, John Donnelly <jdonnelly at dyn.com> wrote:
>
> How does one know if bro is dropping (10%) of messages ?
>
> On Thu, Jan 8, 2015 at 9:28 AM, Mike Patterson <mike.patterson at uwaterloo.ca> wrote:
> Succinctly, yes, although that provision is a big one.
>
> I'm running Bro on two 10 gig interfaces, an Intel X520 and an Endace DAG 9.2X2. Both perform reasonably well. Although my hardware is somewhat underspecced (Dell R710s of differing vintages), I still get tons of useful data.
>
> If your next question would be "how should I spec my hardware", that's quite difficult to answer because it depends on a lot. Get the hottest CPUs you can afford, with as many cores. If you're actually sustaining 10+Gb you'll probably want at least 20-30 cores. I'm sustaining 4.5Gb or so on 8 3.7Ghz cores, but Bro reports 10% or so loss. Note that some hardware configurations will limit the number of streams you can feed to Bro, eg my DAG can only produce 16 streams so even if I had it in a 24 core box, I'd only be making use of 2/3 of my CPU.
>
> Mike
>
> > On Jan 7, 2015, at 5:04 AM, coen bakkers <cbakkers at yahoo.de> wrote:
> >
> > Does anyone have experience with higher speed NIC's and Bro? Will it sustain 10Gb speeds or more provide the hardware is spec'd appropriately?
> >
> > regards,
> >
> > Coen
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list