passively monitoring networks at gigabit speeds
play

Passively Monitoring Networks at Gigabit Speeds Luca Deri - PowerPoint PPT Presentation

Jan 30, 2023 •206 likes •438 views

Passively Monitoring Networks at Gigabit Speeds Luca Deri <deri@ntop.org> Yuri Francalacci <yuri@ntop.org> ntop.org Presentation Overview Monitoring Issues at Wire Speed Traffic Filtering and Protocol Conversion

  1. Passively Monitoring Networks at Gigabit Speeds Luca Deri <deri@ntop.org> Yuri Francalacci <yuri@ntop.org> ntop.org

  2. Presentation Overview • Monitoring Issues at Wire Speed • Traffic Filtering and Protocol Conversion • Packet Capture and Classification • Final Remarks ntop.org L.Deri and Y.Francalacci 2

  3. Monitoring Issues at Wire Speed • Monitoring low speed (100Mb) network is already available with common tools libpcap based • Problem Statement: monitor high speed (10 GB and over) network with common PC’s (64 bit 66MHz PCI bus) • PCI Bus Limited Bandwidth (64 bit bus transfer limit 533 Mbit/s) ntop.org L.Deri and Y.Francalacci 3

  4. Proposed Approach: Requirements • Hardware and Software: – Intelligent routers (e.g. Juniper M-series): they are needed to run the network – x86-based PCs for capturing traffic – Linux/FreeBSD Operating System – Standard 64 bit PCI Gigabit NICs (Intel) ntop.org L.Deri and Y.Francalacci 4

  5. Proposed Approach: Goals • Passively monitor networks at Gbit speeds with no (or very little) packet loss • Traffic information generated in a standard format (NetFlow/nFlow) • Ability to monitor both IPv4/v6 • Provide accounting, performance information ntop.org L.Deri and Y.Francalacci 5

  6. Architecture Overview Internet Internet Traffic Mirror Packet Filtering nProbe nProbe Juniper M-series Juniper M-series NetFlow Local Local ntop ntop Network Network ntop.org L.Deri and Y.Francalacci 6

  7. Traffic Filtering and Protocol Conversion [1/3] • Juniper routers provide: – a built-in traffic-filter (firewall configuration statement) – traffic mirroring (forwarding configuration statement) ntop.org L.Deri and Y.Francalacci 7

  8. Traffic Filtering and Protocol Conversion [2/3] • Traffic filter capabilities: – IPv4 and IPv6 filter types available – BPF-like filtering terms – Filter complexity as user request • Traffic filter term counter – Possibility to define a counter for each term (could be used for accounting reason) – All counters could be read via SNMP ntop.org L.Deri and Y.Francalacci 8

  9. Traffic Filtering and Protocol Conversion [3/3] • Traffic mirroring advantages: – Interface type independency (router provides the protocol conversion) – Sampling capabilities (if link speed > monitoring NIC speed) – Multilink mirroring (on the monitoring link can be mirrored more than one line) ntop.org L.Deri and Y.Francalacci 9

  10. Juniper Accounting • NetFlow (v5/v8) support • Flexible flow aggregation (AS, service, etc) • Complex accounting (e.g. using ntop) using a PC connected on a mirror port ntop.org L.Deri and Y.Francalacci 10

  11. Packet Capture and Classification: Issues • Most Gbit network cards/OSs have not been designed for capturing thousand of packets per second in promiscuous mode • Most NetFlow implementations (e.g. Juniper, Cisco, Extreme Networks) handle up to ~10k packet/sec and/or decrease dramatically switch performances • Flow collector performance is often rather limited (load balancing) ntop.org L.Deri and Y.Francalacci 11

  12. Userland Packet Capture: libpcap sniffer sniffer kernel TCP,UDP IP,ICMP Packet Copy filter filter Ethernet BPF driver Device driver ntop.org L.Deri and Y.Francalacci 12

  13. Libpcap Limitations • Multiple packet copies. • Costly data exchange from kernel to user space via system calls • Severe packet loss if userland applications cannot cope with packet/kernel speed ntop.org L.Deri and Y.Francalacci 13

  14. Solution 1: Kernel Packet Capture sniffer Linux/BSD kernel TCP,UDP Direct Packet Access via mmap() Packets IP,ICMP Kernel Module Ethernet Packets Circular Buffer Device driver Packet Copy ntop.org L.Deri and Y.Francalacci 14

  15. Kernel Packet Capture: Code packetBuffer = mmap(fd); while(1) { if(select(fd)) { /* There’s a Packet to read */ packet = packetBuffer[slotId]; /* Handle packet here */ slotId = (slotId +1) % numSlots; } /* select */ } /* while */ ntop.org L.Deri and Y.Francalacci 15

  16. Kernel Packet Capture: Limitations [1/2] • Little (~10%) performance improvement over pcap due to select() call (test performed on a 10/100 MBit/sec link). • Possible workarounds: – Smart Select: as soon select() returns 1, keep on reading. When there’s nothing to read call select() again. – Active polling: infinite loop until there’s something to read on packetBuffer[slotId] ntop.org L.Deri and Y.Francalacci 16

  17. Kernel Packet Capture: Limitations [2/2] • Both workarounds to not improve performance significantly. – Smart Select:some select() calls are avoided. – Active polling:user time vs. kernel time increases significantly. At very high speeds (probability that there’s something to read is high) it’s better than smart select (see L. Rizzo). • Drawback: user time increases causing packet loss. ntop.org L.Deri and Y.Francalacci 17

  18. Solution 2: Kernel Packet Classification • Principles: – Handle packets only inside the kernel (i.e. they are not passed to userland applications). – Pass flows, not packets, (flows << packets) to userland applications. ntop.org L.Deri and Y.Francalacci 18

  19. Kernel Packet Classification: Architecture Flow Probe Linux/BSD kernel TCP,UDP Direct Flow Access via mmap() Flows IP,ICMP Kernel Module Packet Ethernet Flows Circular Buffer Reference Device driver ntop.org L.Deri and Y.Francalacci 19

  20. Kernel Packet Classification: Features • Strong performance improvement over pcap due to full in-kernel packet processing. • No NIC (DMA)->kernel->userland packet copy • No packet loss • Speed limited by the CPU speed (ability to handle interrupts) • Simple userland NetFlow probe implementation ntop.org L.Deri and Y.Francalacci 20

  21. nFlow (http://www.nflow.org) • New flow definition based on NetFlow • Major features: – Support for both IPv4 and IPv6 – Added VLAN tagging/MPLS label support – Added (network and application) performance and (passive) fingerprinting information – Flow compression (gzip), non ripudiation (MD5) ntop.org L.Deri and Y.Francalacci 21

  22. Final Remarks • Packet filtering and protocol conversion in hardware (Juniper). • External accounting application based on a PC with in-kernel NetFlow flow generation. • Kernel-based nProbe (alpha-code) runs at kernel/interrupt speed (pcap-based version handles <= 250k pkt/sec) ntop.org L.Deri and Y.Francalacci 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri &lt;deri@ntop.org&gt;

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri &lt;deri@ntop.org&gt;

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri &lt;deri@ntop.org&gt; NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
Communications Towards the Speeds of Wireline Networks Free Space Optical (FSO) Communications:

Communications Towards the Speeds of Wireline Networks Free Space Optical (FSO) Communications:

Free Space Optical (FSO) Communications Towards the Speeds of Wireline Networks Free Space Optical (FSO) Communications: Towards the Speeds of Wireline Networks FSO Basic Principle Connects using narrow beams two optical wireless

392 views • 28 slides
Network Layer Support for Gigabit TCP Flows in Wireless Mesh Networks This work is collaborated

Network Layer Support for Gigabit TCP Flows in Wireless Mesh Networks This work is collaborated

Network Layer Support for Gigabit TCP Flows in Wireless Mesh Networks This work is collaborated with Prof. Ramanathan, Univ. of Wisconsin Madison Chin-ya Huang Feb. 6, 2015 1 BBBBBBBBBBBBBBBB Outline Motivation Challenges

570 views • 30 slides
Gigabit Ethernet Gigabit Ethernet implementation for implementation for FPGAs FPGAs Grzegorz

Gigabit Ethernet Gigabit Ethernet implementation for implementation for FPGAs FPGAs Grzegorz

Gigabit Ethernet Gigabit Ethernet implementation for implementation for FPGAs FPGAs Grzegorz Korcyl - Jagiellonian University, Krakw Grzegorz Korcyl PANDA TDAQ Workshop, Giessen April 2010 Outline Motivation 1. 2. General structure

292 views • 16 slides
Towards Wireless Multi-Gigabit Systems Towards Wireless Multi Gigabit Systems Channel Models,

Towards Wireless Multi-Gigabit Systems Towards Wireless Multi Gigabit Systems Channel Models,

Technische Universitt Carolo-Wilhelmina zu Braunschweig tubs.CITY Jahrestagung 2009 tubs C Ja estagu g 009 Towards Wireless Multi-Gigabit Systems Towards Wireless Multi Gigabit Systems Channel Models, Regulation and Standardisation

519 views • 38 slides
Same problem, different approach Monitor process does not query explicitly Instead, it passively

Same problem, different approach Monitor process does not query explicitly Instead, it passively

Same problem, different approach Monitor process does not query explicitly Instead, it passively collects information and uses it to build an observation. (reactive architectures, Harel and Pnueli [1985]) An observation is an ordering of event

618 views • 40 slides
Myroma Biometric Olfactory Wearable for Stress Management Passively monitors mental wellbeing,

Myroma Biometric Olfactory Wearable for Stress Management Passively monitors mental wellbeing,

Myroma Biometric Olfactory Wearable for Stress Management Passively monitors mental wellbeing, releases scents to intervene Passively monitors mental wellbeing, releases scents to intervene Passively monitors mental wellbeing, releases

407 views • 13 slides
An innovative low-cost Classification Scheme for combined multi-Gigabit IP and Ethernet Networks

An innovative low-cost Classification Scheme for combined multi-Gigabit IP and Ethernet Networks

An innovative low-cost Classification Scheme for combined multi-Gigabit IP and Ethernet Networks Ioannis Papaefstathiou Vassilis Papaefstathiou Inst. of Computer Science (ICS), Foundation for Research Inst. of Computer Science (ICS), Foundation

229 views • 6 slides
Gigabit Broadband, Interconnec1on proposi1ons, and the Challenge of Managing Expecta1ons Steven

Gigabit Broadband, Interconnec1on proposi1ons, and the Challenge of Managing Expecta1ons Steven

Gigabit Broadband, Interconnec1on proposi1ons, and the Challenge of Managing Expecta1ons Steven Bauer William Lehr Shirley Hung MassachuseCs Ins1tute of Technology Dec 17, 2015 How would Google Fibers Gigabit Ethernet Product look in

612 views • 21 slides
Building Gigabit Britain FCS Comms Provider 8 Sept 2016 Rob Hamlin Commercial Director

Building Gigabit Britain FCS Comms Provider 8 Sept 2016 Rob Hamlin Commercial Director

Building Gigabit Britain FCS Comms Provider 8 Sept 2016 Rob Hamlin Commercial Director Gigabit City Video Only a modern, pure fibre infrastructure has the power to truly underpin economic prosperity and enable growth. What we bring

248 views • 14 slides
Final Gigabit Kit s Workshop J une 18, 19 2002 J onat han Turner j st @cs.wust l.edu Washingt

Final Gigabit Kit s Workshop J une 18, 19 2002 J onat han Turner j st @cs.wust l.edu Washingt

Final Gigabit Kit s Workshop J une 18, 19 2002 J onat han Turner j st @cs.wust l.edu Washingt on Universit y, Applied Research Lab ht t p:/ / www.arl.wust l.edu/ arl Agenda Tuesday, J une 18 8:30 Gigabit Kit s Program Updat e and Ret

514 views • 16 slides
EARTH NETWORKS WEATHER SEVERE MONITORING AND ALERTING EARTH NETWORKS - WHAT WE DO We automate

EARTH NETWORKS WEATHER SEVERE MONITORING AND ALERTING EARTH NETWORKS - WHAT WE DO We automate

EARTH NETWORKS WEATHER SEVERE MONITORING AND ALERTING EARTH NETWORKS - WHAT WE DO We automate decisions to help global organizations mi mitigate financial, operational, and huma man risk by integrating env environm nment ental int ntel

466 views • 11 slides
Modifying existing applications for 100 Gigabit Ethernet Jelte Fennema University of Amsterdam

Modifying existing applications for 100 Gigabit Ethernet Jelte Fennema University of Amsterdam

Modifying existing applications for 100 Gigabit Ethernet Jelte Fennema University of Amsterdam 29th June 2016 Introduction Approach Results Conclusion Introduction 100 Gigabit Ethernet (100GbE) is becoming common Measuring the

601 views • 30 slides
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Overview

Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Overview

Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Overview Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring Tools

493 views • 26 slides
Monitoring a EVPN-VxLAN fabric with BGP Monitoring Protocol Davide Pucci Giacomo Casoni

Monitoring a EVPN-VxLAN fabric with BGP Monitoring Protocol Davide Pucci Giacomo Casoni

Monitoring a EVPN-VxLAN fabric with BGP Monitoring Protocol Davide Pucci Giacomo Casoni davide.pucci@os3.nl giacomo.casoni@os3.nl Vivek Venkatraman Attilla de Groot Donald Sharp Cumulus Networks Cumulus Networks Cumulus Networks Border

410 views • 30 slides
AIRS Data Support &amp; Services @ NASA GES DISC Jason Li Code 610.2 Goddard Earth Sciences

AIRS Data Support &amp; Services @ NASA GES DISC Jason Li Code 610.2 Goddard Earth Sciences

AIRS Data Support &amp; Services @ NASA GES DISC Jason Li Code 610.2 Goddard Earth Sciences Data and Information Services Center NASA Goddard Space Flight Center, Greenbelt, Maryland 20771 Acknowledgement: to many colleagues who have

424 views • 31 slides
Justin Solomon Sebastian Claici MIT MIT Justin Solomon Sebastian Claici MIT MIT Client

Justin Solomon Sebastian Claici MIT MIT Justin Solomon Sebastian Claici MIT MIT Client

Justin Solomon Sebastian Claici MIT MIT Justin Solomon Sebastian Claici MIT MIT Client Which optimization tool is relevant? Designer Can I design an algorithm for this problem? Patterns, algorithms, &amp; examples common in

1.01k views • 67 slides
Why Create a prototype f os y ov r pr ok ects? WIRE FRAMING Create a l ox -fidelity prototype f os

Why Create a prototype f os y ov r pr ok ects? WIRE FRAMING Create a l ox -fidelity prototype f os

WIRE FRAMING Why Create a prototype f os y ov r pr ok ects? WIRE FRAMING Create a l ox -fidelity prototype f os y ov r pr ok ects - To give your idea a certain shape - Keeping it abstract - Resolution &amp; size - User interface UI - Hierarchy

805 views • 44 slides
Testbed Deployment Plan Gil Zussman Electrical Engineering, Columbia University Objective : Take

Testbed Deployment Plan Gil Zussman Electrical Engineering, Columbia University Objective : Take

Testbed Deployment Plan Gil Zussman Electrical Engineering, Columbia University Objective : Take it Outside Objective : Take it Outside Planned Deployment West Harlem Area: ~1 sq. mile ~9 Large Sites ~40 Medium sites Fiber

712 views • 13 slides
&gt;&gt;&gt; DAPHNE initial design considerations for the FEB &gt;&gt;&gt; High Performance data

&gt;&gt;&gt; DAPHNE initial design considerations for the FEB &gt;&gt;&gt; High Performance data

&gt;&gt;&gt; DAPHNE initial design considerations for the FEB &gt;&gt;&gt; High Performance data acquisition for ARAPUCAS in Dune experiment Name: Manuel Arroyave and Javier Castao Date: May 29, 2019 [~]$ _ [1/17] &gt;&gt;&gt; Content 1.

333 views • 18 slides
What TCP/IP Protocol Headers What TCP/IP Protocol Headers What TCP/IP Protocol Headers using

What TCP/IP Protocol Headers What TCP/IP Protocol Headers What TCP/IP Protocol Headers using

University of North Carolina at University of North Carolina at University of North Carolina at Motivation Motivation Chapel Hill Chapel Hill Chapel Hill Traffic Modeling and Characterization Traffic Modeling and Characterization Can

302 views • 8 slides
The Evolution of the National Broadband Plan for 5G Deployment Dr. Georgios Pantos Head of

The Evolution of the National Broadband Plan for 5G Deployment Dr. Georgios Pantos Head of

The Evolution of the National Broadband Plan for 5G Deployment Dr. Georgios Pantos Head of Broadband &amp; Electronic Communications Networks Directorate Ministry of Digital Policy, Telecommunications and Media ITU FORUM Towards 5G Enabled

234 views • 10 slides
NextGen. Computing and Storage at Scale Overview and Implementation within the European HPC

NextGen. Computing and Storage at Scale Overview and Implementation within the European HPC

NextGen. Computing and Storage at Scale Overview and Implementation within the European HPC strategy Dr. Sebastien Varrette Workshop: &quot;Accelerating Modelling and Simulation in the Data Deluge Era&quot; Fontainebleau, March 19 th , 2018

488 views • 45 slides

More recommend