Packet Capturing Challenges And Approaches
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Packet Capturing Challenges And Approaches as PDF for free.
More details
- Words: 566
- Pages: 17
Packet Capturing Challenges and Approaches By Paritosh Tripathi C-DAC Mumbai [email protected]
Outline • • • • •
Introduction Background Approaches Challenges Path Ahead
Introduction • Need to monitor and troubleshoot network traffic • Dimensions to packet capture: port spanning • High speed networks: high data and high packet rates - Challenges • 2 choices: commodity systems with associated software or customized hardware - Approaches
Background • Packet capture: to grab a copy of packets off of the wire before they are processed by the operating system. • Packet arrives at network card: verifies checksum, extracts link layer data and triggers an interrupt • The interrupt calls the corresponding kernel driver for packet capturing
General overview Application
Capturing
User space
Network Stack Driver
Kernel space NIC
MAC PHY Natural flow Capturing
Medium
FIGURE 1
Approaches 1) Under this approach: less than 1Gbps 2) Under this approach: between 1 and 10Gbps 3) Under this approach any network speed with any data rate
Approach 1 • Libpcap is an open source library that provides a high level interface to network packet capture (figure 2). • Step 1: find an interface to listen on • Step 2: open the interface & set the byte count to be captured at a time • Step 3: tell libpcap to start capturing packets
Packet Capturing using Libpcap User code libpcap calls Other applications
libpcap library raw_socket
User Space
Network Stack Device Driver
Kernel space
MAC PHY Ethernet
FIGURE 2
mmaped version of libpcap • Focus on moving packets from kernel space to user space • Reduce per packet system calls • Incoming packets are copied from the NIC to a kernel buffer that is shared between the kernel and the monitoring application
The PF_Ring Patch • New type of socket optimized for packet capture based on circular buffer • Packets are copied into the ring and not to the kernel network data structure • Mmap primitives allows no overhead due to system calls as in case of socket calls • Packets need not to be passed to upper layers
Hang-on not all is captured!!! • Network speeds are reaching (< 1Gbps) • The kernel is still involved in packet capturing process • No way to exploit multiprocessing • The processor which runs MAC stack on NIC is partially used • Device drivers are not optimized for packet capture
Approach 2: A way towards Gbps rates • nCap library as a software solution • Custom hardware: NIC card (interrupt coalescing) and a dedicated processor for packet capturing and analysis. • Make common operations fast: Network processor usage
Capturing using nCap Application nCap library
PF_Ring
User space
Network Stack Driver
Kernel space NIC
MAC PHY Medium
FIGURE 3
Custom hardware General CPU
NIC
Runs only certain Application
Network Processor Certain Operations Fast
Ethernet
Type 1
NIC
Ethernet
Type 2 FIGURE 4
Approach 3: Specialized hardware (Net-FPGA is a case) • Has gigabit ethernet ports • Captures data and DMA writes to shared memory • Host CPU is not involved in capturing • CPU time saved can be used for packet processing • Cheap, open-source and well supported
Limitations with approach 2 & 3 • Cost implications are very high • Limited usage
Path Ahead • Networks have already reached multigigabits of speed • Special NICs with hardware accelerated packet forwarding and filtering (NIFIC) • Endace DAG card, which uses multicore and complex load balancing algorithms
Outline • • • • •
Introduction Background Approaches Challenges Path Ahead
Introduction • Need to monitor and troubleshoot network traffic • Dimensions to packet capture: port spanning • High speed networks: high data and high packet rates - Challenges • 2 choices: commodity systems with associated software or customized hardware - Approaches
Background • Packet capture: to grab a copy of packets off of the wire before they are processed by the operating system. • Packet arrives at network card: verifies checksum, extracts link layer data and triggers an interrupt • The interrupt calls the corresponding kernel driver for packet capturing
General overview Application
Capturing
User space
Network Stack Driver
Kernel space NIC
MAC PHY Natural flow Capturing
Medium
FIGURE 1
Approaches 1) Under this approach: less than 1Gbps 2) Under this approach: between 1 and 10Gbps 3) Under this approach any network speed with any data rate
Approach 1 • Libpcap is an open source library that provides a high level interface to network packet capture (figure 2). • Step 1: find an interface to listen on • Step 2: open the interface & set the byte count to be captured at a time • Step 3: tell libpcap to start capturing packets
Packet Capturing using Libpcap User code libpcap calls Other applications
libpcap library raw_socket
User Space
Network Stack Device Driver
Kernel space
MAC PHY Ethernet
FIGURE 2
mmaped version of libpcap • Focus on moving packets from kernel space to user space • Reduce per packet system calls • Incoming packets are copied from the NIC to a kernel buffer that is shared between the kernel and the monitoring application
The PF_Ring Patch • New type of socket optimized for packet capture based on circular buffer • Packets are copied into the ring and not to the kernel network data structure • Mmap primitives allows no overhead due to system calls as in case of socket calls • Packets need not to be passed to upper layers
Hang-on not all is captured!!! • Network speeds are reaching (< 1Gbps) • The kernel is still involved in packet capturing process • No way to exploit multiprocessing • The processor which runs MAC stack on NIC is partially used • Device drivers are not optimized for packet capture
Approach 2: A way towards Gbps rates • nCap library as a software solution • Custom hardware: NIC card (interrupt coalescing) and a dedicated processor for packet capturing and analysis. • Make common operations fast: Network processor usage
Capturing using nCap Application nCap library
PF_Ring
User space
Network Stack Driver
Kernel space NIC
MAC PHY Medium
FIGURE 3
Custom hardware General CPU
NIC
Runs only certain Application
Network Processor Certain Operations Fast
Ethernet
Type 1
NIC
Ethernet
Type 2 FIGURE 4
Approach 3: Specialized hardware (Net-FPGA is a case) • Has gigabit ethernet ports • Captures data and DMA writes to shared memory • Host CPU is not involved in capturing • CPU time saved can be used for packet processing • Cheap, open-source and well supported
Limitations with approach 2 & 3 • Cost implications are very high • Limited usage
Path Ahead • Networks have already reached multigigabits of speed • Special NICs with hardware accelerated packet forwarding and filtering (NIFIC) • Endace DAG card, which uses multicore and complex load balancing algorithms
Related Documents
Packet Capturing Challenges And Approaches
May 2020 1
Cost Capturing Approaches 2004-05-24
October 2019 7
Approaches
November 2019 43
Capturing Input
November 2019 35
Capturing And Visualising Bluetooth Encounters
April 2020 6