selective packet capture at high speed rates
play

Selective Packet Capture at High Speed Rates Reservoir Labs Peter - PowerPoint PPT Presentation

Apr 09, 2023 •388 likes •710 views

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox, Troy Hanson, Richard Lethin, Erik Mogus, Jordi Ros-Giralt, Alison Ryan, {cullen, ezick, fox, hanson, lethin, mogus, giralt, ryan}@reservoir.com

  1. Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox, Troy Hanson, Richard Lethin, Erik Mogus, Jordi Ros-Giralt, Alison Ryan, {cullen, ezick, fox, hanson, lethin, mogus, giralt, ryan}@reservoir.com Presenter: Jordi Ros-Giralt | giralt@reservoir.com 2nd European Zeek (Bro) Workshop April 10, 2019 632 Broadway Suite 803 New York, NY 10012 1 2nd European Zeek (Bro) Workshop Patented technologies

  2. Roadmap • Selective Packet Capture: Problem definition • Optimizations • Long queue emulation • Lockless bimodal queues • Tail early dropping • LFN tables • Multiresolution priority queues • Zeek script 2 2nd European Zeek (Bro) Workshop Patented technologies

  3. Packet Capturing at Very High Speed Rates • Scalability issue: performing packet capture is either intractable or requires highly expensive hardware both in processing and storage. • Liability issue: indiscriminate packet capture poses a liability issue. • Selective Packet Capture (SPC) provides a sweet-spot solution to both of these problems. • SPC gets a "free lunch" by leveraging all the heavy lifting work done by Zeek 3 2nd European Zeek (Bro) Workshop Patented technologies

  4. Problem Definition Capturing packets at very high speed rate is an HPC problem… So let's talk first about performance optimization... 4 2nd European Zeek (Bro) Workshop Patented technologies

  5. Problem Definition • System wide performance optimization of network components like routers, firewalls, or network analyzers such as a Zeek sensor is complex. • Hundreds of different SW algorithms and data structures interrelated in subtle ways. • Two interdependent problems: • Shifting micro-bottlenecks • Nonlinear performance collapse • Special focus on the problem of packet capturing at very high speed rates 5 2nd European Zeek (Bro) Workshop Patented technologies

  6. Problem Definition Shifting Micro-Bottlenecks It’s difficult... 6 2nd European Zeek (Bro) Workshop Patented technologies

  7. Problem Definition Shifting Micro-Bottlenecks ...to optimize... 7 2nd European Zeek (Bro) Workshop Patented technologies

  8. Problem Definition Shifting Micro-Bottlenecks ...bottlenecks... 8 2nd European Zeek (Bro) Workshop Patented technologies

  9. Problem Definition Shifting Micro-Bottlenecks ...that keep moving... 9 2nd European Zeek (Bro) Workshop Patented technologies

  10. Problem Definition Shifting Micro-Bottlenecks ...every microsecond... 10 2nd European Zeek (Bro) Workshop Patented technologies

  11. Problem Definition Shifting Micro-Bottlenecks ...or so. 11 2nd European Zeek (Bro) Workshop Patented technologies

  12. Non-linear Performance Collapse Disk I/O L1-I cache: 896 kB L1-D cache: 896 kB 10.4 Gbps Cache L2 cache: 7168 kB L3 cache: 71680 kB Net PCIE CPU I/O 40Gbps 64 Gbps 56 GHz Memory 1092 Gbps 12 2nd European Zeek (Bro) Workshop Patented technologies

  13. Non-linear Performance Collapse Healthy cache regime: - CPU operates out of cache - High cache hit ratios Disk I/O L1-I cache: 896 kB L1-D cache: 896 kB 10.4 Gbps Cache L2 cache: 7168 kB L3 cache: 71680 kB Net PCIE CPU I/O 40Gbps 64 Gbps 56 GHz Memory 1092 Gbps State 1: network is the bottleneck 13 2nd European Zeek (Bro) Workshop Patented technologies

  14. Non-linear Performance Collapse Highly inefficient memory regime: - CPU operates out of RAM - High cache miss ratios Disk I/O L1-I cache: 896 kB L1-D cache: 896 kB 10.4 Gbps Cache L2 cache: 7168 kB L3 cache: 71680 kB Net 10x penalty PCIE CPU I/O 40Gbps 64 Gbps 56 GHz Memory 1092 Gbps State 2: network is no longer the bottleneck 14 2nd European Zeek (Bro) Workshop Patented technologies

  15. Non-linear Performance Collapse Highly inefficient memory regime: - CPU operates out of RAM - High cache miss ratios Disk I/O L1-I cache: 896 kB L1-D cache: 896 kB 10.4 Gbps Cache L2 cache: 7168 kB L3 cache: 71680 kB Net 10x penalty PCIE CPU I/O 40Gbps 64 Gbps 56 GHz output Memory 1092 Gbps input State 2: network is no longer the bottleneck By removing the network bottleneck, system spends more time processing packets that will need to be dropped anyway → net performance degradation (performance collapse) 15 2nd European Zeek (Bro) Workshop Patented technologies

  16. Performance Optimization: Algorithms and Data Structures Long queue emulation Reduces packet drops due to fixed-size hardware rings Lockless bimodal queues Improves packet capturing performance Tail early dropping (TED) Increases information entropy and extracted metadata LFN tables Reduces state sharing overhead Multiresolution priority queues Reduces cost of processing timers 16 2nd European Zeek (Bro) Workshop Patented technologies

  17. Performance Optimization: Algorithms and Data Structures Long queue emulation Reduces packet drops due to fixed-size hardware rings Lockless bimodal queues Improves packet capturing performance Tail early dropping (TED) Increases information entropy and extracted metadata LFN tables Reduces state sharing overhead Multiresolution priority queues Reduces cost of processing timers 17 2nd European Zeek (Bro) Workshop Patented technologies

  18. Long Queue Emulation Dispatcher Model: Long queue emulation Model: - Packet read cache penalty. - Packet drop penalty under certain - Descriptor read cache penalty conditions 18 2nd European Zeek (Bro) Workshop Patented technologies

  19. Long Queue Emulation: Operational Lemma 19 2nd European Zeek (Bro) Workshop Patented technologies

  20. Long Queue Emulation in Practice Use LQE 20 2nd European Zeek (Bro) Workshop Patented technologies

  21. Long Queue Emulation • Optimal LQE size 21 2nd European Zeek (Bro) Workshop Patented technologies

  22. Performance Optimization: Algorithms and Data Structures Long queue emulation Reduces packet drops due to fixed-size hardware rings Lockless bimodal queues Improves packet capturing performance Tail early dropping Increases information entropy and extracted metadata LFN tables Reduces state sharing overhead Multiresolution priority queues Reduces cost of processing timers 22 2nd European Zeek (Bro) Workshop Patented technologies

  23. Lockless Bimodal Queues • Goal: move packets from the memory ring to disk without using locks (trigger capture) 23 2nd European Zeek (Bro) Workshop Patented technologies

  24. Lockless Bimodal Queues • Goal: move packets from the memory ring to disk without using locks 24 2nd European Zeek (Bro) Workshop Patented technologies

  25. Lockless Bimodal Queues 25 2nd European Zeek (Bro) Workshop Patented technologies

  26. Lockless Bimodal Queues 26 2nd European Zeek (Bro) Workshop Patented technologies

  27. Lockless Bimodal Queues 27 2nd European Zeek (Bro) Workshop Patented technologies

  28. SPC Workflow 28 2nd European Zeek (Bro) Workshop Patented technologies

  29. Selective Packet Capture API • The function spc_capture() takes two arguments as shown by its function prototype: ## API for capturing a Pcap function spc_capture(prefix: string, filter: string); • The prefix argument allows users to specify a prefix for the generated Pcap file name. The filter argument can be used to specify a BPF filter applied to the captured packets as they are written to the pcap file. See https://www.tcpdump.org/manpages/pcap-filter.7.html for the expression syntax of the BPF filter. If set to the empty string “”, all packets (without any filtering) are written to the Pcap file. 29 2nd European Zeek (Bro) Workshop Patented technologies

  30. Selective Packet Capture by Example 30 2nd European Zeek (Bro) Workshop Patented technologies

  31. Thank You 632 Broadway Suite 803 New York, NY 10012 812 SW Washington St. Suite 1200 Portland, OR 97205 31 2nd European Zeek (Bro) Workshop Patented technologies

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories

695 views • 42 slides
dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits & More Info Design & Implementation: Robert Edmonds <edmonds@fsi.io> Website:

786 views • 40 slides
Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS Embedded Packet Capture (EPC) delivers a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data

518 views • 24 slides
How a wave packet propagates at a speed faster than the speed of light A novel superluminal

How a wave packet propagates at a speed faster than the speed of light A novel superluminal

How a wave packet propagates at a speed faster than the speed of light A novel superluminal mechanism with high transmission and broad bandwidth Tsun-Hsu Chang ( ) Department of Physics, National Tsing Hua University Claim: The

454 views • 23 slides
Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet

Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet

3G Evolution 3G Evolution 3G Evolution 3G Evolution Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet Access Deepak Dasalukunte Department of Electrical and Information Technology 16-Apr-2009

393 views • 25 slides
Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used to enhance the scanning process. Specifically, even if the Abstract Deep Packet Inspection (DPI) plays a major role in contemporary networks, and

479 views • 9 slides
Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract:

Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract:

Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract: The exposed memory hierarchies employed in many network processors (NPs) are expensive in terms of meeting the worst-case processing requirement.

427 views • 8 slides
Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed

Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed

Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed Network A Approaches for High Speed Network A h h f f Hi h S Hi h S d N t d N t k k Security Security Security Security APAN 32 nd Meeting

459 views • 21 slides
tCap : High-Speed Human Motion Capture using Eve EventC an Event Camera Lan XU Hong

tCap : High-Speed Human Motion Capture using Eve EventC an Event Camera Lan XU Hong

tCap : High-Speed Human Motion Capture using Eve EventC an Event Camera Lan XU Hong Kong University of Science and Technology 2020/06/11 Background 2 1. Background q Previous MoCap systems 2 nd Generation 3 rd Generation 1 st

439 views • 31 slides
Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tom Hrub Kees van

Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tom Hrub Kees van

Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tom Hrub Kees van Reeuwijk Herbert Bos Vrije Universiteit, Amsterdam World45 Ltd. ANCS 2007 Tom Hrub (VU Amsterdam, World45) Ruler on NPUs December 3, 2007

415 views • 25 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet capture and analysis October 2, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab

366 views • 17 slides
MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich

MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich

Chair for Network Architectures and Services Technical University of Munich (TUM) MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich October 31th, 2015 Chair for Network Architectures and Services

519 views • 7 slides
MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for

MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for

Chair for Network Architectures and Services Technische Universit at M unchen MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for Network Architectures and Services Department of Informatics

477 views • 21 slides
MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich January 31st, 2016 FOSDEM 2016

MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich January 31st, 2016 FOSDEM 2016

Chair for Network Architectures and Services Technical University of Munich (TUM) MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich January 31st, 2016 FOSDEM 2016 Chair for Network Architectures and Services Department of

1.2k views • 30 slides
Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Free Technology Workshop Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by Steven Gordon Bangkadi 3 rd floor IT Lab 10:30-13:30 Friday 18 July 2014 http://ict.siit.tu.ac.th/moodle/ _______

795 views • 48 slides
Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 .

Suricata and XDP , Performance with a S like Security . Leblond OISF Nov. 29, 2018 . Leblond (OISF) Suricata and XDP Nov. 29, 2018 1 / 43 Introduction 1 Suricata 101 Suricata on live traffic Problem 2 Reconstruction work Packet

786 views • 59 slides
Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge, Developer Advocate for Project Calico What prompted the team to add another dataplane to Calico? Calicos Pluggable Dataplane What is eBPF?

312 views • 20 slides
The eXpress Data Path Fast Programmable Packet Processing in the Operating System Kernel Toke

The eXpress Data Path Fast Programmable Packet Processing in the Operating System Kernel Toke

The eXpress Data Path Fast Programmable Packet Processing in the Operating System Kernel Toke Hiland-Jrgensen (Karlstad University) Jesper Dangaard Brouer (Red Hat) Daniel Borkmann (Cilium.io) John Fastabend (Cilium.io) Tom Herbert

738 views • 19 slides
Routing without Flow Control Costas Busch Rensselaer Polytechnic Institute Maurice Herlihy

Routing without Flow Control Costas Busch Rensselaer Polytechnic Institute Maurice Herlihy

Routing without Flow Control Costas Busch Rensselaer Polytechnic Institute Maurice Herlihy Brown University Roger Wattenhofer Microsoft Research 1 The network: n mesh n n n Discrete time Bi-directional links At most one

765 views • 49 slides
QoS in 5G: Enhancements for Connected Cars 5G V2X Communications Summer School Kings College

QoS in 5G: Enhancements for Connected Cars 5G V2X Communications Summer School Kings College

QoS in 5G: Enhancements for Connected Cars 5G V2X Communications Summer School Kings College London, UK Massimo Condoluci Ericsson Research 2018-06-12 Ericsson Internal | 2018-02-21 Agenda Background on QoS What is QoS? 5G QoS

342 views • 22 slides
Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler <bazsi@balabit.com> www.balabit.com Zorp Has been established in 2000, as the fjrst BalaBit product Code was GPLd right from the start Initial set

590 views • 20 slides
Strategies for Sound Internet Measurement Vern Paxson ICSI Center for Internet Research (ICIR)

Strategies for Sound Internet Measurement Vern Paxson ICSI Center for Internet Research (ICIR)

Strategies for Sound Internet Measurement Vern Paxson ICSI Center for Internet Research (ICIR) International Computer Science Institute Berkeley, CA vern@icir.org October 26, 2004 Disclaimers: There are no new research results in this

673 views • 25 slides
Making Google Congestion Control Robust over Wi-Fi Networks Using Packet Grouping Applied

Making Google Congestion Control Robust over Wi-Fi Networks Using Packet Grouping Applied

Making Google Congestion Control Robust over Wi-Fi Networks Using Packet Grouping Applied Networking Research Workshop 2016 Berlin, Germany, July 2016 (PDF) G. Carlucci, L. De Cicco, S. Holmer*, S. Mascolo Politecnico di Bari, Italy, *Google

593 views • 23 slides

More recommend