Question about network cards

Hello,

I’m wondering what people are using for network cards in their bro clusters that are not using the Myricom Network Cards. We don’t have a $1,000 dollars per a card + license to spend on the cards. Is anyone using Intel or other brands that aren’t as expensive to capture their traffic? We are looking at doing all 10 Gig connections into the Bro Cluster.

Thanks for all your answers.

Hello,

I’m wondering what people are using for network cards in their bro clusters that are not using the Myricom Network Cards. We don’t have a $1,000 dollars per a card + license to spend on the cards. Is anyone using Intel or other brands that aren’t as expensive to capture their traffic? We are looking at doing all 10 Gig connections into the Bro Cluster.

Thanks for all your answers.

We are using Endace cards which are quite a bit more pricey, but we are actively looking at the Myricom cards now.

My advice – get the Myricom cards. While you can do pfring using standard cards, nothing beats the low to no capture loss hardware. The ability to do onboard load distribution with multiple sub interfaces is a killer feature and your Bro config is greatly simplified. We use a patched version of libpacap for Endace… but I hear that 2.5 may incorporate native Myricom support.

Without cards like these it is like getting a new mustang but skimping on the powertrain options.

We are using Endace cards which are quite a bit more pricey, but we are actively looking at the Myricom cards now.

My advice – get the Myricom cards. While you can do pfring using standard cards, nothing beats the low to no capture loss hardware. The ability to do onboard load distribution with multiple sub interfaces is a killer feature and your Bro config is greatly simplified. We use a patched version of libpacap for Endace… but I hear that 2.5 may incorporate native Myricom support.

Without cards like these it is like getting a new mustang but skimping on the powertrain options.

Intel x520s work fine with both af_packet and pf_ring.

What are folks thoughts on Intel Cards with the fully licensed PF_RING DNA+Libzero or ZC drivers and libraries, which NTOP typically offers to EDUs at no cost. Shouldn't these perform much more closely to the Myricoms with Sniffer v3 than standard PF_RING drivers and libraries?

Of only I had enough patience for ZC. When it worked, I saw some packed loss that wasn't there when I used Myricom on the same sensor.

A nice alternative would be an Intel plus NetMap.

Hi All,

Wondering what model Myricom card is most commonly purchased for 10G Bro monitoring connections? I see Myricom has many options but I’m wondering which exact model is purchased most commonly and/or recommended amongst those who have Bro deployed in a production environment?

Assuming most people probably go with the SPF+ model (if not please let me know), do most people go with the 1-port card (10G-PCIE-8B-S) or did anyone purchase the 2-port card (10G-PCIE2-8C2-2S) and does anyone see any real value or purpose in going with the 2-port card for IDS/monitoring interface purposes? I’m assuming the answer is no to finding value/purpose in the 2-port card but I wanted to get some valuable input on all of this before making any purchases of the Myricom cards.

Of those who run the Myricom cards currently, did most go with the 10G-PCIE-8B-S model?

https://www.myricom.com/products/network-adapters/product-selector.html

Thank you

We use all 10G-PCIE2-8C2-2S with Sniffer10G v3.

We rarely use the second port, but it’s handy to have.

I’m still a huge fan of the solarflare cards. Great support and you just compile against libpcap and slipstream the driver. Pick how many cores you want to give any program and bingo-bango. It certainly makes compiling any program for 10gb a cinch.

Cheers,

JB



**From:**lattin@umn.edu
**Sent:**June 6, 2016 6:50 PM
**To:**dwdixon@umich.edu
**Cc:**BLMILLER@comerica.com; bro@bro.org
**Subject:**Re: [Bro] Question about network cards

|

  • |

We use all 10G-PCIE2-8C2-2S with Sniffer10G v3.

We rarely use the second port, but it’s handy to have.

https://www.myricom.com/products/network-adapters/10g-pcie-8b-s.html

15 of them with sniffer v3. Boring. Just works.
Myricom support is non-existent though.

I have had a great deal of success using Netronome cards. I built a couple of clusters using older Netronome NFE-3240’s, but am getting ready to test their new NFP-4000 based cards (AgilIO 40Gx1 cards). The netronome NFP (Network Flow Processor) uses a packet coalescing driver or network flow capture driver to load balance traffic to seperate “rings”. For Bro, and the load balancers we use, I use both 10G ports on each card (1 card per server), then have the packet coalescing driver load balance the traffic from both ports to all available rings (at 100Mb per ring), then tie a CPU core to each ring. It takes some tuning, and depends on your traffic, but I have successfully hit 80G using one cluster with off the shelf servers and the older netronome cards, which were far cheaper than the Myricoms.

There is more support from the community with the Myricom cards, and Bro has native support, so that should be factored in…

Just a note, SourceFire and Cisco use the Netronome cards in their network security products (or used to before Cisco assimilated SourceFire), so they are high end and work very well. Their API is well documented as well.