100G Bro monitoring technical paper


As announced at Brocon, we have completed the technical document which describes the architecture of our 100G Bro monitoring system. As part of our project, we created this comprehensive document meant to be shared widely within the security community:


The document begins with the background and design decisions and then describes the build process including specific part numbers and configurations. We also include a review of performance and a description of our shunting mechanism, which increases performance by removing large and long-running flows from analysis.

Please feel free to share this link and the document with anyone and direct any questions or comments to security@lbl.gov. A huge thanks to the many folks in our community who helped influence the design of the system and this document.

Thank you,


This is an amazing document. It has pretty much everything you’d need to get off the ground. Arista configs, Bro configs, Bro hardware specs… They did pretty much everything except build it for you.

Add a logging cluster and you’ve got an amazing analytics platform on top of all of your packets.

Fantastic work fellas.