Earlier this week I found, to my dismay, a significant error in the assessment
of Bro's performance given in the paper to appear in this month's USENIX
Security Symposium (and which I plugged on this list). The error is that the
measured load on the FDDI ring being monitored was not 50 Mbps sustained over
an hour, but instead 25 Mbps.
I've appended context diffs for the correction. The other performance
numbers remain unchanged.
The revised paper is available from:
ftp://ftp.ee.lbl.gov/papers/bro-usenix98-revised.ps.Z
and I've removed the original copy. It's too late to correct the copy
to appear in the Proceedings hardcopy; the USENIX on-line versions should
be corrected some time this week.
Sorry about this ....
Vern
*** 1939,1947 ****
enforcement.
The system generally operates without incurring any packet drops.
! The FDDI ring it runs on is heavily used: a recent trace of a 2-3PM
! busy hour reflects a traffic level of over 17,000 packets/sec (50 Mbps)
! sustained for the full hour, with peaks exceeding 30,000 packets/sec.
However, the packet filter discards a great deal of this, both due
to filtering primarily on SYN, FIN, or RST control bits, and because
only about 20\% of the traffic belongs to networks that we routinely
--- 1942,1950 ----
enforcement.
The system generally operates without incurring any packet drops.
! The FDDI ring it runs on is moderately utilized: a recent trace of a 2-3PM
! busy hour reflects a traffic level of 8,800 packets/sec (25 Mbps)
! sustained for the full hour, with peaks of 15,000 packets/sec.
However, the packet filter discards a great deal of this, both due
to filtering primarily on SYN, FIN, or RST control bits, and because
only about 20\% of the traffic belongs to networks that we routinely
Received on Jan 20 1998
Intro
