What is the maximum bandwidth a network monitor can process?

book

Article ID: 160699

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

What is the maximum bandwidth that a DLP Network Monitor can manage?

Resolution

The maximum amount of filtered traffic that a Network Monitor can handle is 40 Mbps.  This is a limitation on the FileReader.  We can handle higher amounts of traffic earlier in the process. 

The maximum incoming traffic is dependent on whether a NIC, Endace Card (pre DLP 11.6, 32-bit), Napatech Card (11.6 or later, 64-bit), or a NIC with Linux Kernel tuning is being used (default on Linux installs after version 11.0).  The NIC itself can only handle the amount that the Packet Capture process can, which is 80 Mbps.  Beyond that, an Endace Card, Napatech Card or  the Linux Kernel tuning is required.  With these, the amount of filtered traffic can not exceed 80 Mbps. 

PacketCapture is the process that takes the packets and reassembles them into a message.  It can handle about 80 Mbps total.  This is not per NIC, but the total traffic coming in from all NICs selected for capture.  If there is more than 80 Mbps, the Monitor will be dropping packets.  Those messages with dropped packets will not be processed.

The network monitor FileReader is our Detection process, which determines whether a violation occurred or not, and whether an incident needs to be created.  It can handle a maximum of about 40 Mbps of filtered traffic. That is the amount of traffic after PacketCapture has dropped all traffic that has not been selected for capture. If there is more than 40 Mbps, there will be long message wait times, but we will process messages at this point.

Adding a faster CPU does not speed the FileReader.