[Bro] Question about network cards

Mon Jun 6 15:42:02 PDT 2016

We use all 10G-PCIE2-8C2-2S with Sniffer10G v3.

We rarely use the second port, but it's handy to have.

On Mon, Jun 6, 2016 at 5:07 PM, Drew Dixon <dwdixon at umich.edu> wrote:

> Hi All,
>
> Wondering what model Myricom card is most commonly purchased for 10G Bro
> monitoring connections?  I see Myricom has many options but I'm wondering
> which exact model is purchased most commonly and/or recommended amongst
> those who have Bro deployed in a production environment?
>
> Assuming most people probably go with the SPF+ model (if not please let me
> know), do most people go with the 1-port card (10G-PCIE-8B-S) or did anyone
> purchase the 2-port card (10G-PCIE2-8C2-2S) and does anyone see any real
> value or purpose in going with the 2-port card for IDS/monitoring interface
> purposes?  I'm assuming the answer is no to finding value/purpose in the
> 2-port card but I wanted to get some valuable input on all of this before
> making any purchases of the Myricom cards.
>
> Of those who run the Myricom cards currently, did most go with the
> 10G-PCIE-8B-S model?
>
> https://www.myricom.com/products/network-adapters/product-selector.html
>
> Thank you
>
>
> On Wed, Apr 13, 2016 at 11:27 AM, Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> Of only I had enough patience for ZC. When it worked, I saw some packed
>> loss that wasn't there when I used Myricom on the same sensor.
>>
>> A nice alternative would be an Intel plus NetMap.
>>
>> > On 13 Apr 2016, at 16:39, Gary Faulkner <gfaulkner.nsm at gmail.com>
>> wrote:
>> >
>> > What are folks thoughts on Intel Cards with the fully licensed PF_RING
>> DNA+Libzero or ZC drivers and libraries, which NTOP typically offers to
>> EDUs at no cost. Shouldn't these perform much more closely to the Myricoms
>> with Sniffer v3 than standard PF_RING drivers and libraries?
>> >
>> >> On 4/13/16 6:46 AM, Hosom, Stephen M wrote:
>> >> Intel x520s work fine with both af_packet and pf_ring.
>> >>
>> >>
>> >> On 04/12/2016 06:03 PM, Michał Purzyński wrote:
>> >> Another voice for myricoms. Single port with the sniffer v3 license
>> was nowhere close to 1000, but much cheaper.
>> >>
>> >> Maintaining that, comparing to pfring, is day and night.
>> >>
>> >> Netmap with Intel should be the future, I don't have much experience
>> with that yet.
>> >>
>> >> Another option is afpacket and intels, works well.
>> >>
>> >> On 12 Apr 2016, at 22:41, Miller, Brad L <<mailto:
>> BLMILLER at comerica.com>BLMILLER at comerica.com<mailto:BLMILLER at comerica.com>>
>> wrote:
>> >>
>> >> We are using Endace cards which are quite a bit more pricey, but we
>> are actively looking at the Myricom cards now.
>> >>
>> >> My advice – get the Myricom cards.  While you can do pfring using
>> standard cards, nothing beats the low to no capture loss hardware.  The
>> ability to do onboard load distribution with multiple sub interfaces is a
>> killer feature and your Bro config is greatly simplified.  We use a patched
>> version of libpacap for Endace.. but I hear that 2.5 may incorporate native
>> Myricom support.
>> >>
>> >> Without cards like these it is like getting a new mustang but skimping
>> on the powertrain options.
>> >>
>> >>
>> >>
>> >>
>> >> From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:
>> bro-bounces at bro.org] On Behalf Of Giesige, Rich
>> >> Sent: Tuesday, April 12, 2016 4:24 PM
>> >> To: bro at bro.org<mailto:bro at bro.org>
>> >> Subject: [Bro] Question about network cards
>> >>
>> >> Hello,
>> >>
>> >> I’m wondering what people are using for network cards in their bro
>> clusters that are not using the Myricom Network Cards. We don’t have a
>> $1,000 dollars per a card + license to spend on the cards. Is anyone using
>> Intel or other brands that aren’t as expensive to capture their traffic? We
>> are looking at doing all 10 Gig connections into the Bro Cluster.
>> >>
>> >> Thanks for all your answers.
>> >>
>> >> --
>> >> Richard Giesige
>> >> IT Security Analyst
>> >> Office of Information Security
>> >> Oregon State University
>> >>
>> >> "OSU staff will NEVER ask for you password.
>> >> Never email or share your password with anyone."
>> >>
>> >>
>> >> Please be aware that if you reply directly to this particular message,
>> your reply may not be secure. Do not use email to send us communications
>> that contain unencrypted confidential information such as passwords,
>> account numbers or Social Security numbers. If you must provide this type
>> of information, please visit comerica.com<http://comerica.com> to submit
>> a secure form using any of the ”Contact Us” forms. In addition, you should
>> not send via email any inquiry or request that may be time sensitive. The
>> information in this e-mail is confidential. It is intended for the
>> individual or entity to whom it is addressed. If you have received this
>> email in error, please destroy or delete the message and advise the sender
>> of the error by return email.
>> >> _______________________________________________
>> >> Bro mailing list
>> >> bro at bro-ids.org<mailto:bro at bro-ids.org>
>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<
>> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>> >>
>> >>
>> >> _______________________________________________
>> >> Bro mailing list
>> >> bro at bro-ids.org
>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160606/702e296e/attachment-0001.html 