Yeah this is probably a faq but thought I’d see if, especially with newer bro, there’s a prevailing wind. I’ve been running single 1gig Linux bro box for a little over a year and it just hums along. For my Christmas project, I’m going to upgrade to 10 gig (probably only single) and will likely rebuild the box while I’m at it. A second 10 gig is possible in the future. I’m comfortable with both FreeBSD and Linux and will have Myricom 10 gig NIC. Thoughts/suggestions regarding implementation choices?
There are at least 2 large FreeBSD installations monitoring 10-50Gbps (one that can scale to 100Gbps). I believe both utilize Myricom cards so from a performance perspective, you can get the necessary performance out of FreeBSD.
My focus has been on the low end of this (1-10Gbps) getting FreeBSD to scale on commodity hardware, as FreeBSD 12 will have updated netmap code for better packet I/O.
Though I live and die by BSD, it is up to you what you feel more comfortable with, for maintenance and operations. With management tools like Salt/Ansible/Puppet, it really is a personal/organizational preference as to which one you use.
FreeBSD 11 has shown better network performance compared to some Linux distros in a recent test with netperf/iperf, but the test did not cover packet monitoring:
https://www.phoronix.com/scan.php?page=article&item=netperf-bsd-linux&num=3