Wire-speed Packet Capture and Transmission

Similar documents
Monitoring high-speed networks using ntop. Luca Deri

ncap: Wire-speed Packet Capture and Transmission

Improving Passive Packet Capture: Beyond Device Polling

Improving Passive Packet Capture: Beyond Device Polling

Open Source in Network Administration: the ntop Project

10 Gbit Hardware Packet Filtering Using Commodity Network Adapters. Luca Deri Joseph Gasparakis

Comparing and Improving Current Packet Capturing Solutions based on Commodity Hardware

Performance Evaluation of VMXNET3 Virtual Network Device VMware vsphere 4 build

HANIC 100G: Hardware accelerator for 100 Gbps network traffic monitoring

Network Performance Optimisation and Load Balancing. Wulf Thannhaeuser

Exploiting Commodity Multi-core Systems for Network Traffic Analysis

Collecting Packet Traces at High Speed

High-Density Network Flow Monitoring

The ntop Project: Open Source Network Monitoring

Intel DPDK Boosts Server Appliance Performance White Paper

On Multi Gigabit Packet Capturing With Multi Core Commodity Hardware

Assessing the Performance of Virtualization Technologies for NFV: a Preliminary Benchmarking

MoonGen. A Scriptable High-Speed Packet Generator Design and Implementation. Paul Emmerich. January 30th, 2016 FOSDEM 2016

vpf_ring: Towards Wire-Speed Network Monitoring Using Virtual Machines

Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware

Towards 100 Gbit Flow-Based Network Monitoring. Luca Deri Alfredo Cardigliano

The Lagopus SDN Software Switch. 3.1 SDN and OpenFlow. 3. Cloud Computing Technology

Network Virtualization Technologies and their Effect on Performance

Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware

High-Density Network Flow Monitoring

Wireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University

High-performance vnic framework for hypervisor-based NFV with userspace vswitch Yoshihiro Nakajima, Hitoshi Masutani, Hirokazu Takahashi NTT Labs.

Gigabit Ethernet Packet Capture. User s Guide

vpf_ring: Towards Wire-Speed Network Monitoring Using Virtual Machines

Sockets vs. RDMA Interface over 10-Gigabit Networks: An In-depth Analysis of the Memory Traffic Bottleneck

Exploiting Commodity Multicore Systems for Network Traffic Analysis

OpenFlow with Intel Voravit Tanyingyong, Markus Hidell, Peter Sjödin

Open Source VoIP Traffic Monitoring

Software-based Packet Filtering. Fulvio Risso Politecnico di Torino

D1.2 Network Load Balancing

How To Improve Performance On A Linux Based Router

Gigabit Ethernet Design

BHyVe. BSD Hypervisor. Neel Natu Peter Grehan

Monitoring Network Traffic using ntopng

Implementation and Performance Evaluation of M-VIA on AceNIC Gigabit Ethernet Card

Insiders View: Network Security Devices

Evaluation Report: Emulex OCe GbE and OCe GbE Adapter Comparison with Intel X710 10GbE and XL710 40GbE Adapters

High Speed Network Traffic Analysis with Commodity Multi-core Systems

Communicating with devices

The Bus (PCI and PCI-Express)

Open-source routing at 10Gb/s

High-speed Network and Service Monitoring. Luca Deri

VMWARE WHITE PAPER 1

Transparent Optimization of Grid Server Selection with Real-Time Passive Network Measurements. Marcia Zangrilli and Bruce Lowekamp

A way towards Lower Latency and Jitter

RCL: Software Prototype

The new frontier of the DATA acquisition using 1 and 10 Gb/s Ethernet links. Filippo Costa on behalf of the ALICE DAQ group

Autonomous NetFlow Probe

High-performance vswitch of the user, by the user, for the user

The Elements of GigE Vision

Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software. Luca Deri January 2003

I3: Maximizing Packet Capture Performance. Andrew Brown

RF Monitor and its Uses

Hardware acceleration enhancing network security

PCI Express* Ethernet Networking

High-Speed Network Traffic Monitoring Using ntopng. Luca

Network packet capture in Linux kernelspace

The Performance Analysis of Linux Networking Packet Receiving

Open-Source PC-Based Software Routers: A Viable Approach to High-Performance Packet Switching

Virtualization Technologies

High-Performance Network Traffic Processing Systems Using Commodity Hardware

VXLAN Performance Evaluation on VMware vsphere 5.1

Performance of Software Switching

SCAMPI Programmable hardware for network monitoring. Masaryk University

Enabling Technologies for Distributed and Cloud Computing

Virtual device passthrough for high speed VM networking

A Research Study on Packet Sniffing Tool TCPDUMP

Enabling Technologies for Distributed Computing

Improving the Performance of Passive Network Monitoring Applications with Memory Locality Enhancements

The IPTV-Analyzer OpenSourceDays 2012

Design of an Application Programming Interface for IP Network Monitoring

ZCL for SONYGigECAM Introduction Manual

Netfilter Performance Testing

Networking Driver Performance and Measurement - e1000 A Case Study

10 Gbit/s Line Rate Packet Processing Using Commodity Hardware: Survey and new Proposals

PCI Express High Speed Networks. Complete Solution for High Speed Networking

Router Architectures

A Performance Monitor based on Virtual Global Time for Clusters of PCs

Accelerate In-Line Packet Processing Using Fast Queue

LCMON Network Traffic Analysis

Running FileMaker Pro 5.0v3 on Windows 2000 Terminal Services

Flow-based network accounting with Linux

Analyzing and Optimizing the Linux Networking Stack

Tempesta FW. Alexander Krizhanovsky NatSys Lab.

Networking Virtualization Using FPGAs

50. DFN Betriebstagung

Guide for wireless environments

CPU Benchmarks Over 600,000 CPUs Benchmarked

Presentation of Diagnosing performance overheads in the Xen virtual machine environment

Xen and the Art of. Virtualization. Ian Pratt

Welcome to the Dawn of Open-Source Networking. Linux IP Routers Bob Gilligan

How To Test A Microsoft Vxworks Vx Works (Vxworks) And Vxwork (Vkworks) (Powerpc) (Vzworks)

Application Note. Windows 2000/XP TCP Tuning for High Bandwidth Networks. mguard smart mguard PCI mguard blade

Challenges in high speed packet processing

How To Test For Performance And Scalability On A Server With A Multi-Core Computer (For A Large Server)

Transcription:

Wire-speed Packet Capture and Transmission Luca Deri <deri@>

Packet Capture: Open Issues Monitoring low speed (100 Mbit) networks is already possible using commodity hardware and tools based on libpcap. Sometimes even at 100 Mbit there is some (severe) packet loss: we have to shift from thinking in term of speed to number of packets/second that can be captured analyzed. Problem statement: monitor high speed (1 Gbit and above) networks with common PCs (64 bit/66 Mhz PCI/X/Express bus) without the need to purchase custom capture cards or measurement boxes.

Libpcap Performance [1/2] Packet Size (Bytes) Speed (Mbit) Speed (Pkt/sec) Linux 2.6.1 with NAPI and standard libpcap Linux 2.6.1 with NAPI and mmap() FreeBSD 4.8 with Polling 64 90 175 000 2.5% 14.9% 97.3% 512 710 131 000 1.1% 11.7% 47.3% 1500 836 70 000 34.3% 93.5% 56.1% Percentage of captured packets Testbed: Sender: Dual 1.8 GHz Athlon, Intel GE 32-bit Ethernet card Collector: Pentium III 550 MHz, Intel GE 32-bit Ethernet card Traffic Generator: stream.c (DoS)

Libpcap Performance [2/2] Using mmap() for direct packet access into the kernel has: significantly improved the capture performance partially solved the problem as Linux is still quite slow. This is somehow a demonstration that context switching (kernel to userland) is an issue but it s not the real issue that slows down the capture process. Further comments: Device Polling significantly improved the performance on a 100 Mbit Ethernet card Linux still performs much worse than FreeBSD at userspace Linux kernel performance is basically the same of FreeBSD at userspace

Proposed Solution: Socket Packet Ring (PF_RING) Application A Application Z mmap() Outgoing Packets Userspace Kernel Read Index Socket (ring) Write Index Socket (ring) PF_RING Network Adapter Incoming Packets

PF_RING Features Linux kernel patch (2.4.x and 2.6.x) for high-speed packet capture. In a nutshell it reduces the packets journey from the NIC to the user applications. It adds a new type of socket (PF_RING) that can be used by existing (PF_PACKET) applications. The (legacy) libpcap library has been extended in order to support PF_RING.

PF_RING 3.x: Speed Monitoring Applications Monitoring Applications PF_RING NAPI Handling + Low Level Kernel Calls NIC Driver NIC PF_RING NAPI Handling + Low Level Kernel Calls NIC Driver NIC Up to 2.X PF_RING 3.X Advantage: Major speed bump. Limitation: NIC driver needs (very minor) modifications.

PF_RING 3.x: Evaluation [1/2] Evaluation: Major improvement with respect to Linux with NAPI It can exploit both polling and Linux 2.4.x/2.6.x Users (stillsecure.com) sell accelerated Snort/PF_RING able to run at 1.6/1.8 Gbit (aggregate) on fast Opteron PCs Open Issues Packet loss: still some packets are lost on Linux. CPU Usage: on Linux there still some packet loss although the CPU usage is very low (< 30% on Linux, > 98% on FreeBSD).

PF_RING 3.x: Evaluation [2/2] Packet Size (Bytes) Linux 2.4.23 with NAPI, RT_IRQ and Ring (Pkt Capture) Linux 2.4.23 with NAPI, RT_IRQ and Ring (nprobe) 64 550 789 [~202 Mbit] 512 213 548 [~850 Mbit] 1500 81 616 [~970 Mbit] 376 453 [~144 Mbit] 213 548 [~850 Mbit] 81 616 [~970 Mbit] Testbed: Sender: Dual 1.8 GHz Athlon, Intel GE 32-bit Ethernet card Collector: Pentium 4 1.7 GHz, Intel GE 32-bit Ethernet card Traffic Generator: stream.c (DoS) Captured Packets and nprobe Flow Generation (packet/sec)

PF_RING: Open Issues The kernel is still involved in the capture process (overhead). Kernel packet polling is implemented only on the first CPU (no way to really exploit multiprocessing). Fetching full packets is costly as it requires extra kernel work (memcpy). The NPU on the ethernet card is partially used as most of the processing is done on the main CPU. Device drivers are not optimized for packet capture: too many memory allocations/copy/free.

What s next? Completely remove the kernel from the packet capture process. Avoid packet copy at all. Fully exploit the NPU that s on the ethernet card. Use the main CPU(s) for packet processing and for fetching packets from network adapters. Rethink network device drivers and optimize them for packet capture.

Welcome to ncap Monitoring Application Monitoring Application Monitoring Application Userland Enhanced libpcap Kernel Straight Capture PF_RING Standard TCP/IP Stack ncap Legacy Accelerated Device Driver Ethernet

ncap Features Packet Capture Acceleration Wire Speed Packet Capture Number of Applications per Adapter Standard TCP/IP Stack with accelerated driver Limited No Unlimited PF_RING with accelerated driver Great Almost Unlimited Straight Capture Extreme Yes One

ncap Internals ncap maps at userland the card registers and memory. The card is accessed by means of a device /dev/ncap/ethx If the device is closed it behaves as a normal NIC. When the device is open, it is completely controlled by userland the application. A packet is sent by copying it to the TX ring. A packet is received by reading it from the RX ring. Interrupts are disabled unless the userland application wait for packets (poll()). On NIC packet filtering (MAC Address/VLAN only).

ncap Evaluation It currently supports Intel 1 GE copper/fiber cards. GE Wire speed (1.48 Mpps) full packet capture starting from P4 HT 3 GHz. Better results (multiple NICs on the same PC) can be achieved using Opteron machines (HyperTransport makes the difference). The ncap speed is limited by the speed applications fetch packets from the NIC, and the PCI bus.

ncap Comparison (1 Gbit) Maximum Packet Loss at Wire Speed Estimated Card Price Manufacturer DAG 0 % > 5-7 K Euro Endace.com ncap 0.8 % 100 Euro Combo 6 (Xilinx) 5 % > 7-10 K Euro Liberouter.com Source Cesnet (http://luca./ncap-evaluation.pdf)

Further ncap Features High-speed traffic generation: cheap trafgen as fast as a hardware trafgen (>> 25 000 Euro) Precise packet generation. Precise packet timestamping on transmission (no kernel interaction): suitable for precise active monitoring. Enhanced driver currently supports Intel cards (1 Gb Ethernet). Support of PCI Express cards.

Availability Paper and Documentation: http://luca./ PF_RING http://www./pf_ring.html ncap Live CD: http://luca./ncap/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information