10g Nic Cards

Harry_Hoffman · May 6, 2013, 9:20pm

Myricom seems to be the recommended card for pricing.

Cheers,
Harry

Slagell_Adam_J · May 6, 2013, 9:35pm

But you need to pay for the sniffing driver to really make use of them.

Vlad_Grigorescu2 · May 6, 2013, 11:09pm

This is actually the same for Intel NICs as well. If you go the Intel route, you'll probably want a similar license for ntop's PF_RING + DNA driver and the price comes out to be just about the same as Myricom[1]. You can opt to not get this license, but performance will suffer. Research and educational networks used to get an exemption from ntop license fees, however this is no longer the case for PF_RING + DNA since development was subsidized by Silicom. If you get a dual-port NIC, the difference becomes even more exaggerated, as the ntop license is $261 *per port* as opposed to the $295 *per card* Myricom license.

Other advantages of the Myricom cards is that they're easier to work with and a bit faster. The Myricom sniffer driver doesn't require special privileges to sniff traffic, so you don't have to do funky setcap stuff - it "just works," even if you don't run Bro as root. From a simple test that someone at a large university ran, pitting a Myricom card with the Myricom sniffer driver against an Intel card with the top-of-the-line ntop driver (PF_RING + DNA + libzero - a $500 license), the Myricom card was better performing.

Hope that provides some insight into why we went with Myricom, at least.

  --Vlad Grigorescu
    Senior Information Security Engineer
    Carnegie Mellon University

[1] - Using CDW prices, Myricom + 10G short-range optics + license is $864.98, while Intel x540 + 10G short-range optics + license is $850.98.

Michael_Brandeis · May 6, 2013, 11:33pm

At UC Riverside we just purchased 6 cards from Silicom and did not have to pay for PF_RING or DNA licenses (cards are detected as PF_RING ready, no separate licensing required). Cost per dual 10G card with optics was right around $1k, so that may be roughly equivalent to buying a Myricom card plus license, but the costs and licensing are not wildly disparate from a University perspective.

I haven't done a performance comparison vs Myricom, but we haven't had any performance issues here, nor has the setup been funky.

-michael

Seth_Hall3 · May 7, 2013, 4:42am

Would you mind going into more detail about what the configuration is like or point to docs? Are you actually using PF_RING+DNA?

.Seth

Michael_Brandeis · May 7, 2013, 4:43pm

Yes, I can write something up. I am currently setting up some elasticsearch servers to test bro's elasticsearch output and test using logstash+elasticsearch as a replacement for our syslog servers. I'll work on a writing up some details on everything.

William_Jones · May 8, 2013, 7:36pm

I just tried pf ring with the lasts bro. The following is the worker node entry in node.cfg:

[worker-1]
type=worker
host=ids.tacc.utexas.edu.
interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667
lb_method=pf_ring
lb_procs=4

When a look at the conn.log file if find the following entries like the following:

1368039512.116220 hla3Z6U8RRb 128.83.144.198 40873 129.114.62.11 22 tcp - 0.097901 0 96 OTH F 0 dA 1 40 1 88 (empty) worker-1-1
1368039512.362164 lSJB3FANh21 128.83.144.198 40873 129.114.62.11 22 tcp - 0.002922 48 0 OTH F 0 DA 2 128 0 0 (empty) worker-1-3

I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow.

I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps.

Is there anyone elese using taps with pf_ring. If so do you see anything wrong with my config?

Bill Jnes

jessebowling · May 8, 2013, 7:45pm

Hi Bill,

I configured my PF_RING enabled workers like:

[worker-1]
type=worker
host=10.10.10.10
interface=p2p1;p2p2;p2p3;p2p4
lb_method=pf_ring
lb_procs=8

…I also had to make a change I referenced on-list:

William_Jones · May 8, 2013, 8:47pm

I change my interface line to mach yours. Now I don’t see any pf_ring entries that indecat that pf_ring is active in /proc/net/pf_ring/

I should see entry like the following for each open device: 8115-p1p1.667.9.

Could you check your system /proc/net/pf_ring and see you are really using pf_ring.

William_Jones · May 9, 2013, 4:08pm

Thank for correcting me on the right way to specify multiple interface when using pf_ring. It resolved my issue with flows show up in multiple works.

Thanks

Tyler_Schoenke · May 16, 2013, 9:19pm

We were pricing out 64 core (4x 16 processors AMD). Does anyone know
if the Myricom's can support load balancing to 64 cores? I recall the
32 core limit for PF_RING.

Tyler

Keith_Lehigh1 · May 17, 2013, 12:12am

32 rings per adapter according to this [1]

- - Keith

[1] https://www.myricom.com/software/sniffer10g/470-what-is-the-maximum-number-
of-rings-supported-by-sniffer10g.html

Topic		Replies	Views
Anyone using 40G Intel NIC and PF_RING ZC Zeek	2	66	May 6, 2022
question about a 100 gig nic and support Zeek	2	63	May 6, 2022
NIC benchmarks and selection criteria Zeek	3	60	May 6, 2022
Questions about NICs, PF_RING, and AF_Packet Zeek	5	328	May 6, 2022
100G question Zeek	4	123	May 6, 2022

10g Nic Cards

Related Topics