Hi Aashish,
Could you please elaborate a little bit more on the “shunting capability”? Do you mean using a BPF filter for bro? And what are some good filters for large/encrypted flows?
Thanks.
-Clement
It can be donw with BPF, take a look at this https://www.bro.org/sphinx-git/scripts/policy/frameworks/packet-filter/shunt.bro.html
Usually for lots of traffic it is better to do in a hardware device in front of your bro machines though.
I know some people are using arista switches for loadbalancing and shunting but there are probably other devices also that work well for this.
//Kristoffer
Kelly makes a very good point… Using an intellegent NIC as a front end to Bro makes a lot of since for networks with strenuous traffic profiles and/or high data throughput. Shunting or filtering in SW on the host eats up computing resources that can better be used to run additional worker threads. Hardware based filtering and load balancing gives you back these cycles. Filtering out flows that are not of interest is a typical use case (examples being SSL traffic, fragmented packets, elephant flows, etc.).
Regards,
Jerome Taylor
M: 978-764-1269
Hello,
We at UT Austin are fairly new to Bro and new to the list (been following, but never posted), but I thought I’d share my experience.
We have had good luck monitoring our traffic which sustains ~17-20 Gbps during peak hours with 2 devices made by a
company called Netronome. The traffic is distributed between the 2 clustered devices using an integrated load balancer which
evenly spreads the traffic across all the processors which have been pinned to corresponding bro workers.
We see very little traffic loss - random ~2-3% drops per Bro instance with the occasional larger ~10% drop.
Our configuration:
- 2 clustered devices 40 cores each with 32 workers and 4 proxies
- Primary device with 2 10 gig cards
Hope this is helpful.
-Kelly
UT Austin