We have built a framework for evaluating the scalability of the Bro cluster implementation using Deter and amplified synthetic traces. We have shown that if the total amount of work remains constant, for a particular case we can even see a super-linear speedup as resource exhaustion effects, but this speedup is reduced to sublinear when we scale the workload with cluster size.
It is important to remember, however, that because we are using a synthetic trace, we can only use this to discover and evaluate potential bottlenecks. This offers no guarantee that operational traffic won't display different performance artifacts. It politically difficult to generate and access full-packet traces from production networks, but such traces are essential if we wish to validate our system for operational environments.