[Bro] Question about network cards

Drew Dixon dwdixon at umich.edu
Mon Jun 6 15:07:33 PDT 2016 

Hi All,

Wondering what model Myricom card is most commonly purchased for 10G Bro
monitoring connections?  I see Myricom has many options but I'm wondering
which exact model is purchased most commonly and/or recommended amongst
those who have Bro deployed in a production environment?

Assuming most people probably go with the SPF+ model (if not please let me
know), do most people go with the 1-port card (10G-PCIE-8B-S) or did anyone
purchase the 2-port card (10G-PCIE2-8C2-2S) and does anyone see any real
value or purpose in going with the 2-port card for IDS/monitoring interface
purposes?  I'm assuming the answer is no to finding value/purpose in the
2-port card but I wanted to get some valuable input on all of this before
making any purchases of the Myricom cards.

Of those who run the Myricom cards currently, did most go with the
10G-PCIE-8B-S model?

https://www.myricom.com/products/network-adapters/product-selector.html

Thank you


On Wed, Apr 13, 2016 at 11:27 AM, Michał Purzyński <
michalpurzynski1 at gmail.com> wrote:

> Of only I had enough patience for ZC. When it worked, I saw some packed
> loss that wasn't there when I used Myricom on the same sensor.
>
> A nice alternative would be an Intel plus NetMap.
>
> > On 13 Apr 2016, at 16:39, Gary Faulkner <gfaulkner.nsm at gmail.com> wrote:
> >
> > What are folks thoughts on Intel Cards with the fully licensed PF_RING
> DNA+Libzero or ZC drivers and libraries, which NTOP typically offers to
> EDUs at no cost. Shouldn't these perform much more closely to the Myricoms
> with Sniffer v3 than standard PF_RING drivers and libraries?
> >
> >> On 4/13/16 6:46 AM, Hosom, Stephen M wrote:
> >> Intel x520s work fine with both af_packet and pf_ring.
> >>
> >>
> >> On 04/12/2016 06:03 PM, Michał Purzyński wrote:
> >> Another voice for myricoms. Single port with the sniffer v3 license was
> nowhere close to 1000, but much cheaper.
> >>
> >> Maintaining that, comparing to pfring, is day and night.
> >>
> >> Netmap with Intel should be the future, I don't have much experience
> with that yet.
> >>
> >> Another option is afpacket and intels, works well.
> >>
> >> On 12 Apr 2016, at 22:41, Miller, Brad L <<mailto:BLMILLER at comerica.com
> >BLMILLER at comerica.com<mailto:BLMILLER at comerica.com>> wrote:
> >>
> >> We are using Endace cards which are quite a bit more pricey, but we are
> actively looking at the Myricom cards now.
> >>
> >> My advice – get the Myricom cards.  While you can do pfring using
> standard cards, nothing beats the low to no capture loss hardware.  The
> ability to do onboard load distribution with multiple sub interfaces is a
> killer feature and your Bro config is greatly simplified.  We use a patched
> version of libpacap for Endace.. but I hear that 2.5 may incorporate native
> Myricom support.
> >>
> >> Without cards like these it is like getting a new mustang but skimping
> on the powertrain options.
> >>
> >>
> >>
> >>
> >> From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:
> bro-bounces at bro.org] On Behalf Of Giesige, Rich
> >> Sent: Tuesday, April 12, 2016 4:24 PM
> >> To: bro at bro.org<mailto:bro at bro.org>
> >> Subject: [Bro] Question about network cards
> >>
> >> Hello,
> >>
> >> I’m wondering what people are using for network cards in their bro
> clusters that are not using the Myricom Network Cards. We don’t have a
> $1,000 dollars per a card + license to spend on the cards. Is anyone using
> Intel or other brands that aren’t as expensive to capture their traffic? We
> are looking at doing all 10 Gig connections into the Bro Cluster.
> >>
> >> Thanks for all your answers.
> >>
> >> --
> >> Richard Giesige
> >> IT Security Analyst
> >> Office of Information Security
> >> Oregon State University
> >>
> >> "OSU staff will NEVER ask for you password.
> >> Never email or share your password with anyone."
> >>
> >>
> >> Please be aware that if you reply directly to this particular message,
> your reply may not be secure. Do not use email to send us communications
> that contain unencrypted confidential information such as passwords,
> account numbers or Social Security numbers. If you must provide this type
> of information, please visit comerica.com<http://comerica.com> to submit
> a secure form using any of the ”Contact Us” forms. In addition, you should
> not send via email any inquiry or request that may be time sensitive. The
> information in this e-mail is confidential. It is intended for the
> individual or entity to whom it is addressed. If you have received this
> email in error, please destroy or delete the message and advise the sender
> of the error by return email.
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org<mailto:bro at bro-ids.org>
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
> >>
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160606/c4fcc702/attachment.html

More information about the Bro mailing list