Bro uses libpcap packet capture library... the library uses
different ways to capture packets on various OS platforms...
If I'm not mistaken, for fast networks it's better to use
BSD derived operating systems (OpenBSD, FreeBSD...) because
they use BPF packet filtering mechanism that is part of operating
system... and as far as I know BPF provides the best performance...
Right.
however, I'm sure that even BPF's performance would not be enough
for gigabits network... Unless BPF+ replaced the original BPF
implementation, there's no way bro can sustain gigabits speed.
What's crucial is the make-up of the traffic: how much is there, how much
of it matches the filter, and what sort of analysis has to be performed
for the captured traffic.
We currently have several Bro's monitoring GigEther links. They don't
usually have trouble keeping up, and this is running on old hardware.
However, even LBL's access link is nowhere close to saturated. (Bro on
that hardware could not keep up with a significantly higher traffic flow.
We have newer hardware coming in, though, which I'm betting can.) The one
trick we use is large kernel BPF buffers, and making sure that libpcap
doesn't limit the buffer size. This wasn't that important for 100 Mbps,
but is crucial for Gbps.
Vern