Hello all,
Over time I have seen various posts about building Bro on Linux instead of FreeBSD, and recently someone said I think that it should build out of the box on both systems. My understanding has always been that performance is much better under FreeBSD due to the way bpf is implemented, but is it workable on Linux as well? Anyone had experience with a production Bro box on Linux?
Thanks in advance for any input.
Stephen
My understanding has always been that performance is
much better under FreeBSD due to the way bpf is implemented
Historically that's been true.
but is it
workable on Linux as well? Anyone had experience with a production Bro box
on Linux?
One of our production Bro boxes is running Linux. It occasionally drops
packets under a not very heavy load (it's monitoring a 100 Mbps link that's
not used heavily), but so far I haven't been able to correlate these with
a particular cause such as high-rate traffic spikes.
That said, we continue to use FreeBSD for our very-high-performance
(1-10 Gbps) systems. I don't know whether the Linux packet capture has
improved to where it could also take on these loads (that would of course
require that the drops seen on the 100 Mbps link aren't due simply to
packet rate). Linux is supposed to have gotten quite a bit better in
this regard.
Vern
OpenBSD would be an attractive option but the last I checked the way
back machine bro had issues on OBSD... Curious if anyone been doing
anything in this regard more recently?
To put it mildly, I've lost track of the number of times I've cursed
OpenBSD because of ongoing build headaches. We generally use it neither
for development nor production, but whenever people report build
problems, we try to go in and fix them. Thus, if there are OpenBSD
issues with the current release, please let us know.
I haven't tried on OBSD in some time. Interesting comments about OpenBSD
headaches. Been using both FreeBSD and OpenBSD since 2.x days. I know
there have been ongoing issues w/Bro on OBSD but otherwise it's been
rock solid. Wish I could say same about FreeBSD, wh/we've all but
abandoned. We use OBSD in more narrowly targeted capacities, however,
so perhaps not a fair comparison.
I don't mean to suggest doubt in OpenBSD's technical quality, it's no
doubt a solid OS. It's merely the (imho) fact that once things build
fine on Linux + OSX + FreeBSD, there's still a significant chance of
build woes on OpenBSD, which translates into extra effort needed on our
side.
That said, I just downloaded 1.4 on an OpenBSD 4.2 machine, and am happy
to report that the whole suite built fine.
Thank you for the report. In next couple weeks I'll be bringing a 4.4
box online and may have time to test the build on it. Perhaps someone
with a bit more time could even try to get it in the OBSD tree.
I should amend my FBSD statement to note that pre 5.x releases, and 4.x
in particular, served us extremely well!
Hi Ken,
It might be time to try FreeBSD again. I've been running 6.x and 7.0
(soon 7.1) in production for the last few years and have been happy.
Early 5.x (5.0 through 5.2.1) weren't considered "STABLE" (that
happened in 5.3), so I understand plenty of concerns with those
releases.
Sincerely,
Richard
It sounds like FreeBSD is still the way to go for production Bro boxes. I have been very pleased with the speed and stability of FreeBSD 7, and 6.x before it. My interest in running Bro on Linux was due to some issues encountered in integrating FreeBSD into the enterprise environment I deal with. Something like RHEL is accepted a bit more by the C&A auditors since there are more defined “guidelines” for “securing” it. If that makes any sense at all.
Stephen
Lest you misinterpret, I could tell a LOT more horror stories about
Linux, particularly RH, than FBSD. But with RHEL you get someone else to
blame. That's the big one for corp liability types.
If you haven't already, you may want to try Phil Wood's mmapped pcap
library from http://public.lanl.gov/cpw/. While I haven't beat on this one at
high volumes I have had argus losing more than %50 of the traffic on a loaded
(jumbo frame) gig link and reduced that to close to 0 loss with the pf-ring
mmapped linux code. Pf-ring (from www.ntop.org) is hard to get in and then
somewhat unstable (at least in my experience but then we have web100 in the
same kernel which may not be helping :-)). Phil Wood's code needs no kernel
mods just the libpcap library rebuilt and an environment variable set to
cause the program to use the mmap functions.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
Hello,
OpenBSD would be an attractive option but the last I checked the way
back machine bro had issues on OBSD... Curious if anyone been doing
anything in this regard more recently?
Bro builds well and works fine on it, i used "Bro" 1.3.x then 1.4 on
various recent OpenBSD's distribution (i mean versions) without
problems.
As i follow OpenBSD's development (i run "-CURRENT"), i try Bro
1.4 on all new releases. Be sure i'll post some news in case of
problems
.
With regards,
Jean-Philippe.