Network professionals today face an unprecedented influx of data from billions of connected devices and sensors. Cisco estimates that, due to the advent of the Internet of Things (IoT), there are about 10 billion connected “things” – and that’s only .6 percent of objects that can be connected. In other words, the data flow is only going to get bigger, necessitating faster network speeds AND nanosecond precision.
Though administrators and engineers have a variety of available tools to help them manage and secure large and small-scale networks alike, few capabilities are as fundamental to this task as packet capture (PCAP). A mechanism for intercepting data packets that are traversing a computer network, PCAP is commonly deployed within an organization to monitor security events and network performance, identify data leaks, troubleshoot issues and even perform forensic analysis to determine the impact of network breaches.
However, existing PCAP systems using commodity network interface cards (NICs) are struggling to keep up with the demands of performing precision capture and replay at 10/40/100 Gbps speeds. Fortunately, there are solutions today that have been built to facilitate packet capture at speeds topping 100 Gbps. The use of network acceleration technology, coupled with open source network monitoring and capture solutions, can enable organizations to keep up with the demands of precision packet capture and replay on high-speed networks.
Guest article by Dan Joe Barry, VP Positioning and Chief Evangelist, Napatech
Precision PCAP Systems
Administrators and engineers can get an accurate, real-time view of what is happening within a network infrastructure by using effective PCAP and analysis systems. Likewise, precision PCAP systems also provide organizations with the ability to re-create network events with high fidelity for verification and validation of architectural changes, troubleshooting and analysis.
When the time comes to choose analysis and security solutions for high-speed networks, it is important to consider coupling open source tools with the speed and accuracy of programmable logic. Here are three key factors when comparing your options:
- Directing the Flow of Traffic: To maintain capture and analysis performance at high speeds, it is important to implement technology that has the capability to identify and direct traffic flows immediately upon ingress. In doing so, the load on user-space applications can be minimized and administrators are provided with the ability to dynamically identify and direct data flows into specific CPU cores based on the type of traffic being analyzed.
- High-speed Capture and Replay: FPGA-based network acceleration cards (NACs) are ideal for performing high-speed packet capture and replay at a variety of speeds, including 1/10/40/100 Gbps. Moreover, NACs allow for precise inter-frame gap (IFG) control, which is critical when replaying captured traffic for troubleshooting or simulation of traffic flows.
- Hardware-based time stamping: Look for solutions that provide hardware-based, high-precision time stamping with nanosecond resolution for every frame captured and transmitted. Hardware-based time stamping avoids the unpredictable latency inherent in software-based solutions and enables a communication flow to be recorded precisely as it occurs. Precision time protocol (PTP) can also be supported for accurate synchronization across distributed network probes.
Conventional PCAP Architecture
Traditionally, software tools have performed packet capture and analysis on an organization’s network infrastructure. In this case, software is installed on a designated monitoring host and configured to poll packets from a commodity network adapter placed in promiscuous mode and connected to the network via a Switched Port Analyzer (SPAN) interface. A typical architecture for low-speed PCAP using a commodity NIC and libpcap is illustrated in the following figure:
The network adapter generates an interrupt request each time it receives an Ethernet frame and then copies the data from the memory buffer on the adapter into kernel space. Normally the kernel space driver would determine if the packet is intended for this host and either drop the packet or pass it up the protocol stack until it reaches the user-space application it is destined for.
However, when configured for promiscuous mode, all packets are captured in a kernel buffer regardless of destination host. Once the kernel buffer is full, a context switch is performed to transfer the data to a user-space buffer managed by libpcap, a system-independent interface for user-level packet capture, so that the data can be accessed by user-level applications.
User-level applications aren’t able to see this intermediate buffer, which is necessary to prevent applications from accessing kernel-managed memory. Given this architecture, it is clear that some amount of time will lapse between when a frame is received by the adapter and actually delivered to the user-space application for processing.
This lapse in time doesn’t have much effect on PCAP accuracy at low data rates, but at higher rates, this latency is compounded and CPUs become saturated trying to keep pace with incoming data leading to capture loss and timing issues. Consider, for example, that a 1 Gbps network link can push around 1.5 million packets per second, or one packet every 670 nanoseconds. Conversely, at 10 and 100 Gbps speeds, systems are processing one packet every 67 or 6.7 nanoseconds, respectively.
It’s already a challenge to capture traffic at this rate in a conventional architecture, not to mention the added complexity of precise timing, categorization, flow identification and filtering. Performing lossless, high-fidelity packet capture, replay and real-time analysis of data flows at these rates requires a different approach to PCAP, one that moves the bulk of the data processing out of the user space and into the hardware, and eliminates the inefficiency of user-to-kernel space interactions.
PCAP Architecture – The New Approach
Using a hardware-accelerated approach, it’s possible to achieve the goals of PCAP on high-speed networks. The targeted use of programmable logic coupled with open source tools allows data to be accurately captured and processed within a NAC before it is passed into user-space applications. This figure illustrates what an accelerated PCAP architecture might look like:
High-performance NACs use Field Programmable Gate Arrays (FPGAs) to perform in-line event processing and line-rate packet analysis in hardware at 1/10/40/100 Gbps speeds. Due to their programmable nature, FPGAs play an important role in, and are an ideal fit for, many different markets.
These semiconductor devices are based around a matrix of configurable logic blocks (CLBs) connected via programmable interconnects. FPGAs can be reprogrammed to desired application or functionality requirements after manufacturing. Through the use of FPGA-based NACs, network administrators can immediately improve an organization’s ability to monitor and react to events that occur within its network infrastructure.
This scenario leverages line-rate packet analysis to push most of the frame processing into the hardware of the capture device, which can be deployed within a commodity server or workstation, preserving CPU cycles for higher-level analysis. This approach ensures that by the time data is passed to the user-space buffer for access by applications, it has already been time-stamped, categorized, and filtered appropriately.
Powerful yet cost-effective solutions can be built for a variety of purposes by coupling these devices with open source applications. In general, high-performance NACs enable easy in-house development of scalable, high-performance network applications over PCAP.
Even complex payload analysis and network-wide correlation algorithms can be easily scaled by the effective flow-based, load-balancing mechanism built-in to the NAC. The more complex analysis that the application performs, the more critical it is that the PCAP stream from the capture device has no packet drops and that the frames are in the correct order. Tasks like protocol reconstruction, reassembly, event detection and QoS calculations are severely impacted by insufficient PCAP performance.
Evaluate solutions that support PTP, or IEEE 1588. By doing so, precise time synchronization is maintained in a distributed deployment where multiple accelerated PCAP probes are deployed throughout a network infrastructure. This allows frames to be merged from multiple ports on multiple NACs into a single, time-ordered analysis stream.
Precise time synchronization of this level ensures that organizations can perform retrospective analysis of network events by replaying data in exactly the same way as it was captured, complete with precise timing and inter-frame gap control.
Having the ability to perform a retrospective review of activity, and also providing a real-time view of what is happening within a network, is critical to understanding and measuring performance, identifying bottlenecks, troubleshooting issues, and securing the environment. As such, packet capture and analysis continues to play a critical role in managing and securing large and small-scale networks.
A New Architecture for High-speed Networks
Large amounts of dropped packet data and imprecise collections are the end result of using traditional means of performing PCAP, which cannot keep pace with today’s high-speed network fabrics. In order to enable PCAP at 10/40/100 Gbps speeds or higher, the processing of captured packets must be pushed to the point of ingest.
To maintain zero packet loss and precision at such high speeds, hardware acceleration is a necessity. The combination of open source software deployed on commodity servers and programmable logic will help to future-proof high-speed networks.
For more information on optimizing your network monitoring strategy and infrastructure, check out the free Aberdeen report, Catching the Next Networking Wave.
Daniel Joseph Barry is VP Positioning and Chief Evangelist at Napatech and has over 20 years experience in the IT and Telecom industry. Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK, a leading supplier of transport chip solutions to the Telecom sector. From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson. Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.