Hello all,
I've read a number of research papers on using commodity hardware for
high speed network capture and I'd like to solicit real world feedback
on performance.
Endace products work great, however I'm interested to know of other
cards that prove to be worthwhile.
If your running a custom built implementation that is processing >=
700Mbps on average then your the person I want to hear from.
Off-list replies are fine. I'll summarize the results if people are
interested.
Thanks !
--Jason
Here are some metrics off the top of my head...
Card type (vendor, model, pci-e or pci-x)
Hi Jason,
I work for Bivio Networks and we have deployed Bro on our hardware and
achieved multi-gig monitoring throughput. Our hardware is a specialty
networking appliance and not commodity hardware with an accelerator
card.
Our appliance is a Linux based operating system with a distributed
multi-core architecture. In the system I ran testing on this on it was a
12 core system. Our systems can actually be daisy chained together using
a backplane cable, which would provide more cores for more horsepower.
The configuration of Bro, size of the packets, and type of traffic that
is sent to the system can have significant impact on processing
throughput. In most of the tests I ran I saw performance between
500Mb/s to 6Gb/s.
Im not really sure if that is information you are looking for but its
another option for high speed bro processing.
// Joel
Joel,
Please understand that this post is not intended to be antagonistic in any
way, but I remember Bivio claiming to (briefly) natively support Bro (with a
custom and/or pre-compiled and/or optimized-for-hardware version; IIRC it
was called "Brooklyn").
Policy prevents me from publicly endorsing any product/service/vendor
(etc..). I will say, though, that your appliances perform appx. as well as
the sales documents claim they do, in real-world use.
Which brings me to my question: is there a resurgence in Bro interest within
your company? Or are you simply stating above that you have a platform which
can run a NIDS stack at high speeds?
Public or private reply is O.K.
Thanks,
Matt Cuttler
Hi Matt,
I know there has been work with Bro in the past but I do not know to
what extent nor do I have any past information. I come from an
open-source/security background and my roll at Bivio is solutions
engineer. Since I have been here I have worked to make a number of
open-source tools into Bivio packages that work natively.
Bro is one of the ones I have had a chance to work on. We do have
customers who are currently using Bro on our platform and are quite
happy with the results.
I Hope that answers you question. My goal is not to "market" to this
list so if you have questions about our solutions or what native
applications we offer feel free to drop me an email directly.
// Joel
Hi Joel,
Didn't mean to accuse (or imply accusation) -- that you were marketing to
this list; I hope it didn't come across that way.
I'd like to hear more about the throughput results you've gotten with Bro on
your company's platform, and any build/compile-time tweaks you've got to
share. For the sake of saving bandwidth/inbox space etc., you can reply
off-list (or if you feel it's on-topic, we can communicate on-list).
Thanks,
Matt Cuttler
Matt Cuttler wrote:
I work for Bivio Networks and we have deployed Bro on our hardware and
achieved multi-gig monitoring throughput. Our hardware is a specialty
networking appliance and not commodity hardware with an accelerator
card.
Joel,
Please understand that this post is not intended to be antagonistic in any
way, but I remember Bivio claiming to (briefly) natively support Bro (with a
custom and/or pre-compiled and/or optimized-for-hardware version; IIRC it
was called "Brooklyn").
I talked to their sales group briefly about this. They report having a
specialized package for Bro to work with their environment (the Bivio
API)... at least thats how I understood it.
Another reader pointed out http://www.pcapexpress.com/ which looks
interesting as they support FreeBSD as well as Linux.
I'll wait for a couple days and post the anonymized results to the
wiki. In the absence of confirmed performance results at the least the
potential to seed the next research paper exists. Many of the papers
I've read only compare commodity hardware to Endace.
--Jason