[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Bro] Hardware Experience
From:       "William L. Jones" <jones () tacc ! utexas ! edu>
Date:       2009-06-30 17:22:38
Message-ID: 0E07074B82CE4B4A9982802A8484B6968364AD48DA () EXCHANGE2K7 ! tacc ! utexas ! edu
[Download RAW message or body]

TACC is using the Sun dual port cards. 

The system runs bro cluster with ip filters to break the traffic up into multiple ip \
quadrants this allow different cpu to work on each quadrant of ip space.   

My rule of thumb is that it takes 1 cpu to process 1 Giga/bit of data. 

Right now the system is a 4 cpu system to monitor two 10 GigE connection, it just a \
starter system.  I plan to upgraded it to two 8 cpu system each monitoring one   10 \
GigE connection later this year.

I don't know how far this configuration will scale. 

Bill Jones 



-----Original Message-----
From: bro-bounces@ICSI.Berkeley.EDU [mailto:bro-bounces@ICSI.Berkeley.EDU] On Behalf \
                Of Nick Buraglio
Sent: Monday, June 29, 2009 4:22 PM
To: bro@bro-ids.org
Subject: Re: [Bro] Hardware Experience

I actually did quite a bit of the work with Aashish on the Dag and  
Myricom cards (I was the one that gave them to him back when I still  
worked at NCSA), and like he said we had lots of issues with them.   
Endace support was helpful but in the end it was a more supportable  
direction to go with the Intel and Myricom cards.
Using NICs has proven to be very robust for us.  I have the cards that  
I'd originally sent the mail out about running on a FreeBSD 7.2 system  
watching pretty heavily loaded links and so far have not seen any  
issues.

nb

---
Nick Buraglio
Network Engineer, CITES, University of Illinois
GPG key 0x2E5B44F4
Phone: 217.244.6428
buraglio@illinois.edu



On May 27, 2009, at 11:21 PM, Aashish Sharma wrote:

> Hi Sean:
> 
> Back in 2006 we got 4 Dag 6.2SE cards to monitor our 10G links.  
> During the time we were running firmware 2.5.7.5. on the cards. We  
> had real hard time keeping Bro running reliably in a sustained  
> manner using Dag cards.  We encountered a lot of issues - including  
> lack of drivers, lack of built in support for libpcap, crashing of  
> Bro repeatedly, heating up and crashing of system as well.
> 
> In fact, Robin helped us quite a bit and even wrote drivers and  
> support for Dag in Bro.  Endace support was prompt too and they  
> provided us with a new modified firmware but not much changed.
> 
> During all that time, For production Bro we relied on a pair of  
> Intel 10G cards while we resolve this issue with Dag cards (spent  
> considerable time trying to get this working),
> 
> All in all, we had lot of issues running Dag capture cards reliably.  
> Eventually, we gave up and got Myricom 10G cards.  We have been  
> quite happy with Myricom cards and have not encountered any issues  
> since.
> 
> Hope this helps,
> 
> Aashish Sharma
> NCSA
> 
> 
> On Wed, May 27, 2009 at 02:54:39PM -0600, Sean McCreary wrote:
> > I'd be careful about purchasing 10G NICs for packet capture.  I  
> > have not
> > been able to configure a FreeBSD 6.3 system with a Myricom Myri-10G  
> > NIC
> > to reliably capture traffic on a lightly loaded link (~2Mb/s, ~240
> > kpps).  One option I'm interested in trying is the Endace DAG,
> > <http://www.endace.com/dag-network-monitoring-cards.html>.  Does  
> > anyone
> > have experience using these cards with bro?
> > 
> > Nick Buraglio wrote:
> > > Good afternoon, list.  I'm hoping to get a quick opinion on some
> > > hardware.  I've done some brief looking and not really found what  
> > > I'm
> > > seeking so I'll post here in hopes that one of you can share some
> > > experience.
> > > I'm exploring deployment of some Bro boxes and was hoping to  
> > > leverage
> > > a great deal that Sun is offering to get the hardware.  I know that
> > > the boxes can do what I need them to do, as I've worked on Bro
> > > implementations elsewhere.  What I'd really like to know is if  
> > > anyone
> > > has used the Sun (Intel Chipset 82598) dual port 10g cards?   
> > > They're a
> > > decent savings of capitol, but I'd rather just spend the money to  
> > > get
> > > the cards I'm used to (single port 10g Intel or Myricom) if the dual
> > > port cards behave strangely or are a time-vortex to get working.
> > > I'm making an assumption that the dual port cards operate similar to
> > > the single port cards.  Has anyone used these in a bro deployment?
> > > 
> > > 
> > > Thanks,
> > > nb
> > > ---
> > > Nick Buraglio
> > > Network Engineer, CITES, University of Illinois
> > > GPG key 0x2E5B44F4
> > > Phone: 217.244.6428
> > > buraglio@illinois.edu
> > _______________________________________________
> > Bro mailing list
> > bro@bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro@bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic