Hello,
I have installed Zeek on ESXi and the hardware is dedicated for Zeek.
Everything works fine, Zeek logs the network.
My question is, what difference is for Zeek to be run on virtual vs physical ?
Our highest throughput is 125mbps for our ISP and about 1Gpbs internal.
Some suggests it might impact the performance, but where it could struggle on VM?
Thank you for your time,
Stéphane,
I’ve spent considerable time performing strength tests with Zeek, Suricata, and Snort with BreakingPoint chassis and similar testing platforms.
The biggest issue you will face is unpredictable resources. Where possible, isolate the resources for the Zeek instance from other guests on the fabric. Zeek isn’t really going to know the difference between being virtual or physical. As other guests pull from the same source, you will see an impact. PF_Ring and AF_Packet can be used. In the past, I’ve stuck with PF_Ring as it was a bit more predictable. This isn’t a requirement, just a preference I have based on previous experience.
For comparison, when I run a 10 Gbps test against physical instances of Zeek, I will see an average of 7.6 Gbps of actual throughput with a +/- 5% variation. With virtual instances on VMware with nothing else running, I will see closer to 6.4 Gbps with the same traffic replay, showing a +/- 15% variation. It’s just a bit harder to nail down your performance baseline.
I would recommend that you enable jumbo packet support as it will help with latency and keep an eye on things. Mileage may vary.
Obviously, some traffic is more costly than others. FTP, DNS. etc… is going to be less of an impact as SMB. Some detections are more costly than others.
Hope this helps and as you say, “Mon milieu de vie!”.
-PK