Cool! But I can’t believe you’re Bro instance is doing much inspecting if it’s receiving line-rate packets and only using 1% CPU. As I said before, the majority of the CPU time is usually in pattern matching and protocol decoding (which is basically pattern matching), so I’m assuming that unless the pattern matching is also hardware accelerated, you’re not pattern matching much of the traffic being sent to Bro. Is that the case?
I believe the 1% utilization is in reference to the slight CPU
interaction with DMA transfers. The rest is left to
From what I understand of the documentation there are some pattern
matching capabilities in the NT20E that might be leveraged to deliver
specific traffic to the application. I'm still reading if and how
running multiple Bro instances (using cpuset ) dedicated to certain
types of traffic will work.
Martin Holste wrote: