10g Nic Cards

Myricom seems to be the recommended card for pricing.

Cheers,
Harry

But you need to pay for the sniffing driver to really make use of them.

This is actually the same for Intel NICs as well. If you go the Intel route, you'll probably want a similar license for ntop's PF_RING + DNA driver and the price comes out to be just about the same as Myricom[1]. You can opt to not get this license, but performance will suffer. Research and educational networks used to get an exemption from ntop license fees, however this is no longer the case for PF_RING + DNA since development was subsidized by Silicom. If you get a dual-port NIC, the difference becomes even more exaggerated, as the ntop license is $261 *per port* as opposed to the $295 *per card* Myricom license.

Other advantages of the Myricom cards is that they're easier to work with and a bit faster. The Myricom sniffer driver doesn't require special privileges to sniff traffic, so you don't have to do funky setcap stuff - it "just works," even if you don't run Bro as root. From a simple test that someone at a large university ran, pitting a Myricom card with the Myricom sniffer driver against an Intel card with the top-of-the-line ntop driver (PF_RING + DNA + libzero - a $500 license), the Myricom card was better performing.

Hope that provides some insight into why we went with Myricom, at least.

  --Vlad Grigorescu
    Senior Information Security Engineer
    Carnegie Mellon University

[1] - Using CDW prices, Myricom + 10G short-range optics + license is $864.98, while Intel x540 + 10G short-range optics + license is $850.98.

At UC Riverside we just purchased 6 cards from Silicom and did not have to pay for PF_RING or DNA licenses (cards are detected as PF_RING ready, no separate licensing required). Cost per dual 10G card with optics was right around $1k, so that may be roughly equivalent to buying a Myricom card plus license, but the costs and licensing are not wildly disparate from a University perspective.

I haven't done a performance comparison vs Myricom, but we haven't had any performance issues here, nor has the setup been funky.

-michael

Would you mind going into more detail about what the configuration is like or point to docs? Are you actually using PF_RING+DNA?

  .Seth

Yes, I can write something up. I am currently setting up some elasticsearch servers to test bro's elasticsearch output and test using logstash+elasticsearch as a replacement for our syslog servers. I'll work on a writing up some details on everything.

I just tried pf ring with the lasts bro. The following is the worker node entry in node.cfg:

[worker-1]
type=worker
host=ids.tacc.utexas.edu.
interface=p1p1.667 -ip1p2.667 -ip2p1.667 -ip2p2.667
lb_method=pf_ring
lb_procs=4

When a look at the conn.log file if find the following entries like the following:

1368039512.116220 hla3Z6U8RRb 128.83.144.198 40873 129.114.62.11 22 tcp - 0.097901 0 96 OTH F 0 dA 1 40 1 88 (empty) worker-1-1
1368039512.362164 lSJB3FANh21 128.83.144.198 40873 129.114.62.11 22 tcp - 0.002922 48 0 OTH F 0 DA 2 128 0 0 (empty) worker-1-3

I though that pf_ring hash flows so that the same flow always went to the same worker so that a worker saw all traffic for flow.

I am using two dual port intel 520 nick to read packets from 10 GigE two port lacp pair off two taps.

Is there anyone elese using taps with pf_ring. If so do you see anything wrong with my config?
  
Bill Jnes

Hi Bill,

I configured my PF_RING enabled workers like:

[worker-1]
type=worker
host=10.10.10.10
interface=p2p1;p2p2;p2p3;p2p4
lb_method=pf_ring
lb_procs=8

…I also had to make a change I referenced on-list:

I change my interface line to mach yours. Now I don’t see any pf_ring entries that indecat that pf_ring is active in /proc/net/pf_ring/

I should see entry like the following for each open device: 8115-p1p1.667.9.

Could you check your system /proc/net/pf_ring and see you are really using pf_ring.

Thank for correcting me on the right way to specify multiple interface when using pf_ring. It resolved my issue with flows show up in multiple works.

Thanks

We were pricing out 64 core (4x 16 processors AMD). Does anyone know
if the Myricom's can support load balancing to 64 cores? I recall the
32 core limit for PF_RING.

Tyler

32 rings per adapter according to this [1]

- - Keith

[1] https://www.myricom.com/software/sniffer10g/470-what-is-the-maximum-number-
of-rings-supported-by-sniffer10g.html