About Bro Processing Speed

keqhe · March 19, 2013, 5:49pm

Hello,

Does any one know Bro's processing speed? i.e., can it support monitoring
1 Gbps or 10Gbps link?

Thanks!

Mike_Patterson · March 19, 2013, 6:20pm

"It depends."

On - hardware, mostly, and configuration.

I keep meaning to write this up, but on *my* configuration:
* 16 cores of model name : Intel(R) Xeon(R) CPU X5677 @ 3.47GHz
* 72GB of RAM
* Endace DAG (9.2)
* some config magic by Seth, which I'd be happy to share.

6 workers keep up with ~2.5-3Gbps peaks, no problem.

On lesser hardware, your mileage will definitely vary. The secret sauce appears to be the DAG. Hot CPUs doesn't hurt either. You'll probably find that an Endace will cost as much as the server you'd put it in. I think it's worthwhile, but your budget is yours.

It doesn't actually consume all of the above resources - I'm running other things on the box too - but bro itself consumes ~4.5GB resident per worker, and can be counted on to pin most of its allocated cores at peak loads.

Mike

Vlad_Grigorescu2 · March 19, 2013, 6:35pm

Just to throw another data point out there:

* 16 physical cores of model name : Intel(R) Xeon(R) CPU E5-2680 @ 2.70 GHz
* 96GB of RAM
* Myricom NIC

28 workers (I have Hyperthreading turned on) keep up with a 6-7 Gbps average, and I've seen them do fine with short peaks of 9 Gbps or so. The Myricom cards definitely won't break the bank: card + SR optics + perpetual license is $895.

--Vlad

Seth_Hall3 · March 19, 2013, 7:47pm

Oh! I'm not sure why but I never paid attention to the speed of your cores. I suspect that has a huge impact. From what we were looking at it seems like you are capable of handling at least 500Mbps/core.

I'm not sure what the cost differential is between the mid-range processors and what you have in that box, but I'm starting to wonder if the world has been flipped upside down and suddenly the high-end processors are worth the extra expense now (for Bro at least).

As Vlad pointed out, I suspect that the DAG card doesn't really give any performance benefit over the Myricom nics. Although, both of those give huge benefits over something that isn't skipping the network stack and getting rid of interrupts.

.Seth

keqhe · March 20, 2013, 2:42pm

Thanks for the helpful information!

Topic		Replies	Views
BRO performance in a real world Zeek	9	127	May 6, 2022
building a new bro server Zeek	2	78	May 6, 2022
building a new bro server Zeek	9	83	May 6, 2022
Problems with our hardware Zeek	1	75	May 6, 2022
bro machines Zeek	1	65	May 6, 2022

About Bro Processing Speed

Related Topics