[Bro] Endace DAG
Stephen Donnelly
Stephen.Donnelly at endace.com
Wed May 16 22:45:44 PDT 2018
As a note, DAG cards are still not $300 (at least new!), but should not cost more than your server.
You can figure out who to ask if you are interested in actual pricing I would think.
Stephen
From: bro-bounces at bro.org <bro-bounces at bro.org> On Behalf Of Michal Purzynski
Sent: Wednesday, 16 May 2018 5:21 AM
To: Carl Rotenan <carlrotenan at gmail.com>
Cc: bro <bro at bro.org>
Subject: Re: [Bro] Endace DAG
Yes I would :)
Try afpacket and maybe X710. You’re going to invest in cards that cost more than your server (DAG) do why not spend 300 usd and make an experiment.
https://github.com/pevma/SEPTun
https://github.com/pevma/SEPTun-Mark-II
This applies to Bro as well, especially the part about hardware and OS tuning.
On May 15, 2018, at 10:06 AM, Carl Rotenan <carlrotenan at gmail.com<mailto:carlrotenan at gmail.com>> wrote:
Would you say AF_PACKET over PF_RING? Thanks.
On Tue, May 15, 2018 at 11:59 AM, Mike Patterson <mike.patterson at uwaterloo.ca<mailto:mike.patterson at uwaterloo.ca>> wrote:
I don't know how useful my contribution here is, but...
Yes, I have a 9.2X2 we purchased in 2010, now in its second server and fourth or fifth Bro install. Obviously having kept it this long, I don't have many complaints. At the same time, I don't find a whole lot of difference between it and the Intel X520s we have deployed with PF_RING (and one of our newer PF_RING installations is outperforming the DAG). That said, I've spent more time playing with the X520s, so it's possible the DAG could outperform them with equivalent TLC (and also obviously this is an older card) - but X520s are older nowadays too.
I haven't tried the bro-pkg for the DAG yet, although once I've got some free time (hahaha) I would very much like to give it a try. Also YMMV quite a bit depending on the hardware you're marrying to your NICs, your real-world network traffic, specific distribution/kernel version, etc etc etc.
And I expect that at least one regular list contributor might suggest you try AF_PACKET with your Intels. :)
Mike
> On May 15, 2018, at 11:39 AM, Carl Rotenan <carlrotenan at gmail.com<mailto:carlrotenan at gmail.com>> wrote:
>
> Is anyone using the Endace DAG cards? I looking for the performance gains over using PF_RING and off the shelf Intel cards. Ultimately I'm looking for the best file extraction performance that can be achieved. Thanks in advance.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180517/addfde74/attachment-0001.html
More information about the Bro
mailing list