Solaris 10 pointers

Zeek
1

Don't see anything in the email archive in the last few years.

Google searches for specific Solaris bugs have helped but I
still don't have a clean build. [Currently trying to find a
way around the lack of asprintf.]

If anyone has info/suggestions/URLs that will help me build bro on
Solaris 10/x86 please let me know. [OR experience with 10G Ethernet
on any OS.]
    Paul Hyder
    NOAA Earth System Research Laboratory, Global Systems Division
    Boulder, CO

2

Paul Hyder wrote:

Don't see anything in the email archive in the last few years.

Google searches for specific Solaris bugs have helped but I
still don't have a clean build. [Currently trying to find a
way around the lack of asprintf.]

If anyone has info/suggestions/URLs that will help me build bro on
Solaris 10/x86 please let me know. [OR experience with 10G Ethernet
on any OS.]
    Paul Hyder
    NOAA Earth System Research Laboratory, Global Systems Division
    Boulder, CO
_______________________________________________
Bro mailing list
bro@bro-ids.org
mailman.icsi.berkeley.edu Mailing Lists

We are currently using bro with a 10G ethernet connection, but the solution may not be what you are looking for.

Since there are fundamental issues with handling that volume of data on a PC architecture, we have exploited the use of VACL's on a border facing cisco 65xx in order to extract what traffic we know will be interesting, while avoiding the large flow issues that would otherwise plague us. A Juniper can do the same thing except that they call it filter based port mirroring.

We have used this technique quite successfully at the IEEE Supercomputing conference every year for a while now and the technique scales quite well (to dozens of 10 gig links). Please contact me if you want more information about this.

As an option, you can also use a processing offload card that does most of the pcap like filtering for you (typically in an ASIC type form). The filtered data shows up as a network interface/device and you can use it as you would any other feed. Metanetworks makes a card that we have used for this purpose, but there are several other vendors who so quite similar things.

If none of this is an option, I can point you to other documents that discuss issues with regard to high speed data sampling using commodity hardware. Depending on traffic characteristics and what actual volume you are seeing, it may be quite possible to do this without significant data loss.

Feel free to contact me if you have any other questions about this.

scott