[Bro] Question about network cards

Hosom, Stephen M hosom at battelle.org
Wed Apr 13 04:46:29 PDT 2016 

Intel x520s work fine with both af_packet and pf_ring.


On 04/12/2016 06:03 PM, Michał Purzyński wrote:
Another voice for myricoms. Single port with the sniffer v3 license was nowhere close to 1000, but much cheaper.

Maintaining that, comparing to pfring, is day and night.

Netmap with Intel should be the future, I don't have much experience with that yet.

Another option is afpacket and intels, works well.

On 12 Apr 2016, at 22:41, Miller, Brad L <<mailto:BLMILLER at comerica.com>BLMILLER at comerica.com<mailto:BLMILLER at comerica.com>> wrote:

We are using Endace cards which are quite a bit more pricey, but we are actively looking at the Myricom cards now.

My advice – get the Myricom cards.  While you can do pfring using standard cards, nothing beats the low to no capture loss hardware.  The ability to do onboard load distribution with multiple sub interfaces is a killer feature and your Bro config is greatly simplified.  We use a patched version of libpacap for Endace.. but I hear that 2.5 may incorporate native Myricom support.

Without cards like these it is like getting a new mustang but skimping on the powertrain options.




From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org] On Behalf Of Giesige, Rich
Sent: Tuesday, April 12, 2016 4:24 PM
To: bro at bro.org<mailto:bro at bro.org>
Subject: [Bro] Question about network cards

Hello,

I’m wondering what people are using for network cards in their bro clusters that are not using the Myricom Network Cards. We don’t have a $1,000 dollars per a card + license to spend on the cards. Is anyone using Intel or other brands that aren’t as expensive to capture their traffic? We are looking at doing all 10 Gig connections into the Bro Cluster.

Thanks for all your answers.

--
Richard Giesige
IT Security Analyst
Office of Information Security
Oregon State University

"OSU staff will NEVER ask for you password.
Never email or share your password with anyone."


Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com<http://comerica.com> to submit a secure form using any of the ”Contact Us” forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>

More information about the Bro mailing list