[Bro] Bro 10Gb Performance
Edgmand, Craig
craig.edgmand at okstate.edu
Thu May 11 12:36:06 PDT 2017
We are currently running Bro with 1 Gb intel cards and vanilla PF_RING and we have acceptable packet loss after filtering (1 - 3 percent), but we need to move up to 10 Gb sensors.
Is there anyone that is using commodity hardware and Intel X520 network cards with Bro to process 10GB of traffic using AF_PACKET, vanilla PF_RING or PF_RING ZC?
In the paper 100G Intrusion Detection, they utilized Myricom 10 Gb cards, with the sniffer software and were only running 10 workers per node or up to 1 Gb per worker. Is this possible on with Intel X520 using AF_PACKET or PF_RING? It is my understanding that AF_PACKET is broken in some kernels (I have used Justin's fanout tool) and requires a driver update.
Is there a diminishing return for number of workers per server?
Michael Purzynski published a great paper on Suricata performance tuning to achieve 20 Gb throughput on commodity hardware using AF_PACKET. Is there a corresponding Bro document?
Thanks,
Craig Edgmand
IT Security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170511/dca8e76a/attachment.html
More information about the Bro
mailing list