[Bro] Bro 10Gb Performance

Munroe Sollog mus3 at lehigh.edu
Thu May 11 12:42:05 PDT 2017


I am using all commodity hardware:
10:00.0 Ethernet controller: Intel Corporation 82599ES 10-Gigabit SFI/SFP+
Network Connection (rev 01)

and I am seeing <5% packet loss.  I am currently using Bro 2.5 with
AF_PACKET.  Bro generally sees on average 7-8Gbps from the taps.


On Thu, May 11, 2017 at 3:36 PM, Edgmand, Craig <craig.edgmand at okstate.edu>
wrote:

> We are currently running Bro with 1 Gb intel cards and vanilla PF_RING and
> we have acceptable packet loss after filtering (1 – 3 percent), but we need
> to move up to 10 Gb sensors.
>
>
>
> Is there anyone that is using commodity hardware and Intel X520 network
> cards with Bro to process 10GB of traffic using AF_PACKET, vanilla PF_RING
> or PF_RING ZC?
>
>
>
> In the paper 100G Intrusion Detection, they utilized Myricom 10 Gb cards,
> with the sniffer software and were only running 10 workers per node or up
> to 1 Gb per worker.  Is this possible on with Intel X520 using AF_PACKET or
> PF_RING? It is my understanding that AF_PACKET is broken in some kernels (I
> have used Justin’s fanout tool) and requires a driver update.
>
>
>
> Is there a diminishing return for number of workers per server?
>
>
>
> Michael Purzynski published a great paper on Suricata performance tuning
> to achieve 20 Gb throughput on commodity hardware using AF_PACKET.  Is
> there a corresponding Bro document?
>
>
>
> Thanks,
>
>
>
> Craig Edgmand
>
> IT Security
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170511/e63a07e5/attachment.html 


More information about the Bro mailing list