I’ve been testing out bro 1.1c, and am looking at putting it into production, but have a couple of questions about hardware and performance issues. I’m currently running under FreeBSD 6. The throughput it’ll be watching won’t be extremely high (~200Mb), but connection counts will be quite high. The main question is whether to get a multiprocessor/multicore box, or split out some of the traffic to multiple smaller boxes. I haven’t seen any discussion in the archives about support for SMP (other than a 2005 conversation about the lack of SMP under Linux) and I’d prefer to not split out into multiple boxes, so I wanted to verify if bro will take advantage of the multiple processors.
The other question is about the performance/CPU impact of the Dynamic Protocol Detection feature in 1.2, since I haven’t seen discussion around that and would like to use it.
split out into multiple boxes, so I wanted to verify if bro will take
advantage of the multiple processors.
It does not, for the most part. All of the main analysis is done in
a single process and not able to make use of multiple CPUs. The only
exception is remote communication which does the actual i/o via
second process (but just the i/o; e.g., data strucutures are still
serialized by the main process).
We're planing to structure the processing into something more
parallizable eventually but this will take some time.
The other question is about the performance/CPU impact of the Dynamic
Protocol Detection feature in 1.2, since I haven't seen discussion around
that and would like to use it.
The main performance impact is the need to inspect all packets
(instead if using a packet filter which selects only the relevant
subset of ports, as Bro used to do it). See this paper for some
performance numbers measured with an earlier prototype:
I've been testing out bro 1.1c, and am looking at putting it into
production, but have a couple of questions about hardware and
performance issues. I'm currently running under FreeBSD 6. The
throughput it'll be watching won't be extremely high (~200Mb), but
connection counts will be quite high. The main question is whether to
get a multiprocessor/multicore box, or split out some of the traffic to
multiple smaller boxes.
I can't say much about Bro, per se, but I recently did some performance
testing of packet capture on FreeBSD 6 (ie, all the layers beneath Bro),
and found that multiple processors do not help much. For example,
top-of-the-line dual Xeon CPUs (>$4,000 of CPU) performed ~5% better
than a single PentiumD at under $500.
I'd also note that Bro cpu load is highly dependent on policy set.
As a floor benchmark, I've seen a connection-logging only policy on
a link averaging 100-200Mbs consume about 1% cpu on a low-end single
cpu system. You can't extrapolate much from this, except to note
that the Bro core seems to place very little demand on a system.