[Bro] Hardware recommends
Gary Faulkner
gfaulkner.nsm at gmail.com
Wed Jan 27 12:35:53 PST 2016
I reached this page via Google, but the breadcrumbs show it as being
part of the 2.4.1 documentation, which I believe is considered current.
https://www.bro.org/sphinx/cluster/index.html
Under Workers section:
"The rule of thumb we have followed recently is to allocate
approximately 1 core for every 80Mbps of traffic that is being analyzed.
However, this estimate could be extremely traffic mix-specific. It has
generally worked for mixed traffic with many users and servers. For
example, if your traffic peaks around 2Gbps (combined) and you want to
handle traffic at peak load, you may want to have 26 cores available
(2048 / 80 == 25.6). If the 80Mbps estimate works for your traffic, this
could be handled by 3 physical hosts dedicated to being workers with
each one containing dual 6-core processors."
On 1/27/16 6:57 AM, Slagell, Adam J wrote:
> Which document? We should update that.
>
>> On Jan 26, 2016, at 9:18 PM, Gary Faulkner <gfaulkner.nsm at gmail.com> wrote:
>>
>> The Bro architecture documents still seem to suggest you can only
>> process 80Mb/s or so of traffic per core, but even at 2.6 - 2.7 GHz you
>> end up getting closer to 250-300Mb/s+. 3.1 will boost this a bit and
>> allow you to handle slightly larger flows per core, but you may be able
>> to get many more cores on a single host at 2.6 for similar or less
>> money. I'd just be ware of optimizing too heavily on core count and
>> ending up with 1.8GHz clocks.
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160127/7e129ee7/attachment.html
More information about the Bro
mailing list