[Zeek] Zeek 3 / Vmware ESXi
Patrick Kelley
patrick.kelley at criticalpathsecurity.com
Fri Feb 14 11:09:43 PST 2020
Stéphane,
I've spent considerable time performing strength tests with Zeek, Suricata,
and Snort with BreakingPoint chassis and similar testing platforms.
The biggest issue you will face is unpredictable resources. Where possible,
isolate the resources for the Zeek instance from other guests on the
fabric. Zeek isn't really going to know the difference between being
virtual or physical. As other guests pull from the same source, you will
see an impact. PF_Ring and AF_Packet can be used. In the past, I've stuck
with PF_Ring as it was a bit more predictable. This isn't a requirement,
just a preference I have based on previous experience.
For comparison, when I run a 10 Gbps test against physical instances of
Zeek, I will see an average of 7.6 Gbps of actual throughput with a +/- 5%
variation. With virtual instances on VMware with nothing else running, I
will see closer to 6.4 Gbps with the same traffic replay, showing a +/- 15%
variation. It's just a bit harder to nail down your performance baseline.
I would recommend that you enable jumbo packet support as it will help with
latency and keep an eye on things. Mileage may vary.
Obviously, some traffic is more costly than others. FTP, DNS. etc... is
going to be less of an impact as SMB. Some detections are more costly than
others.
Hope this helps and as you say, "Mon milieu de vie!".
-PK
On Fri, Feb 14, 2020 at 8:54 AM Lantin, Stéphane <slantin at cegepbc.ca> wrote:
> Hello,
>
>
>
> I have installed Zeek on ESXi and the hardware is dedicated for Zeek.
>
> Everything works fine, Zeek logs the network.
>
>
>
> My question is, what difference is for Zeek to be run on virtual vs
> physical ?
>
> Our highest throughput is 125mbps for our ISP and about 1Gpbs internal.
>
>
>
> Some suggests it might impact the performance, but where it could struggle
> on VM?
>
>
>
> Thank you for your time,
>
>
>
> _____________________________
>
> *Stéphane Lantin*
>
> *Technicien en informatique - C.P*
>
> *Service des technologies de l’information*
>
> *Cégep de Baie-Comeau*
>
> *(418) 589-5707 poste 178*
>
> *slantin at cegepbc.ca <slantin at cegepbc.ca>*
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200214/acd5bd95/attachment.html
More information about the Zeek
mailing list