Replica - A Fast Packet Capture Mechanism

Replica - A Fast Packet Capture Mechanism

SPDK-based Packet Capture Mechanism for DPDK-based switch/router

Networking

  • 0 Collaborators

  • 2 Followers

    Follow

Description

Introduction

Replica is an SPDK-based Packet Capture Mechanism for DPDK-based switch/router. This article covers the details about the need for a packet capture mechanism. and the design and features of Replica.

Problem

Packet Capture is an essential piece for development, testing and troubleshooting. It is essential that a good network device has robust packet capture mechanism. Many network devices either lack a good packet capture mechanism or need expensive devices.

Firehose

Debugging the firehose is not easy. The sheer bandwidth may make it impractical to store the packets that are arriving at high frequency. Obviously, filter mechanism such as Wireshark packet filter mechanism will not suffice.

DPDK

DPDK is a kit that uses commodity hardware such as Intel CPU and NIC to achieve near-ASIC network forwarding solution. DPDK uses smart techniques such as user-level, polled mode drivers, bulking, ring buffers, large page size, prefetch, efficient use of cache, pinning threads to core, smart software algorithms, NIC offload, etc. to achieve this.

SPDK

SPDK is an offshoot of DPDK. While DPDK is focused on network solutions, SPDK is focused on storage solutions. SPDK can offer near 100x compared to hard disk based Linux file system and near-10x improvements compared to SSD based Linux solution. Like DPDK, SPDK uses techniques such as user-level, polled mode drivers, efficient use of cache, pinning threads to core, etc. to provide an order of magnitude performance improvement.

Solution

Replica is a solution that offers a practical, cheap, robust, fast packet capture mechanism. It uses several techniques to achieve this:

  • Efficient filter mechanism
  • Fast handoff to the storage core avoiding
  • Multiple packet capture sessions
  • Ability to store full packet or partial packet (e.g. first 64 bytes)
  • Capture 1:1 packets or Packet Sampling (e.g. 1 out of 32)
  • Bloom filter support and/or Cuckoo filter support
  • Ability to identify packets of interest at several touch points: * Ingress or Egress * Port, VLAN, Port-VLAN * L2 or L3 * Flow Level * ACL level * QoS
  • Auxiliary Action support: Matching or non-matching is the trigger for packet capture. For e.g. capture all ACL-denied packets
  • Ability to build complex rules: E.g. capture first 32 bytes of 1 out of 64 packets that are specific to a flow.
  • Expanding SPAN concepts: While traditional SPAN is for replicating a port, we extend the concept to allow it to capture only first x bytes, sample, etc.
  • SPAN+ or storage: The destination is another port or storage
  • Support standard PCAP format for decoding/analyzing using Wireshark
    • Use of one or more cores simultaneously for packet capture

Summary: (to be removed if needed) SPDK-based Packet Capture Mechanism for DPDK-based switch/router

This feature will allow packet capture in various ways:

  • Using SPDK, it stores in disk in .pcap format
  • Advanced filter support using ACL, Flow and fuzzy logic (Bloom filter)
  • Support for multiple packet capture sessions
  • Support for high traffic capture limited only by SPDK and DPDK
  • Replicated packets will be sent to another interface (SPAN)
  • Will support ERSPAN (Encapsulated Remote SPAN)
  • Will do full 1:1 packet capture or sampling (for e.g. 1 out of 64)
  • Will do full packet or first segment (say, first 64 bytes)
  • Support for Wireshark format (directly sends in Wireshark .pcap format to a remote destination)
  • Multiple touch points for capture - Port, Port-VLAN, VLAN, L3, ACL, etc

Tharaneedharan V. added photos to project Replica - A Fast Packet Capture Mechanism

Medium 70e6b352 452f 468f aa92 e7e8e8b6b8f1

Replica - A Fast Packet Capture Mechanism

Introduction

Replica is an SPDK-based Packet Capture Mechanism for DPDK-based switch/router. This article covers the details about the need for a packet capture mechanism. and the design and features of Replica.

Problem

Packet Capture is an essential piece for development, testing and troubleshooting. It is essential that a good network device has robust packet capture mechanism. Many network devices either lack a good packet capture mechanism or need expensive devices.

Firehose

Debugging the firehose is not easy. The sheer bandwidth may make it impractical to store the packets that are arriving at high frequency. Obviously, filter mechanism such as Wireshark packet filter mechanism will not suffice.

DPDK

DPDK is a kit that uses commodity hardware such as Intel CPU and NIC to achieve near-ASIC network forwarding solution. DPDK uses smart techniques such as user-level, polled mode drivers, bulking, ring buffers, large page size, prefetch, efficient use of cache, pinning threads to core, smart software algorithms, NIC offload, etc. to achieve this.

SPDK

SPDK is an offshoot of DPDK. While DPDK is focused on network solutions, SPDK is focused on storage solutions. SPDK can offer near 100x compared to hard disk based Linux file system and near-10x improvements compared to SSD based Linux solution. Like DPDK, SPDK uses techniques such as user-level, polled mode drivers, efficient use of cache, pinning threads to core, etc. to provide an order of magnitude performance improvement.

Solution

Replica is a solution that offers a practical, cheap, robust, fast packet capture mechanism. It uses several techniques to achieve this:

- Efficient filter mechanism
- Fast handoff to the storage core avoiding
- Multiple packet capture sessions
- Ability to store full packet or partial packet (e.g. first 64 bytes)
- Capture 1:1 packets or Packet Sampling (e.g. 1 out of 32)
- Bloom filter support and/or Cuckoo filter support
- Ability to identify packets of interest at several touch points:
* Ingress or Egress
* Port, VLAN, Port-VLAN
* L2 or L3
* Flow Level
* ACL level
* QoS
- Auxiliary Action support: Matching or non-matching is the trigger for packet capture. For e.g. capture all ACL-denied packets
- Ability to build complex rules: E.g. capture first 32 bytes of 1 out of 64 packets that are specific to a flow.
- Expanding SPAN concepts: While traditional SPAN is for replicating a port, we extend the concept to allow it to capture only first x bytes, sample, etc.
- SPAN+ or storage: The destination is another port or storage
- Support standard PCAP format for decoding/analyzing using Wireshark
- Use of one or more cores simultaneously for packet capture

Summary: (to be removed if needed)
SPDK-based Packet Capture Mechanism for DPDK-based switch/router

This feature will allow packet capture in various ways:

- Using SPDK, it stores in disk in .pcap format
- Advanced filter support using ACL, Flow and fuzzy logic (Bloom filter)
- Support for multiple packet capture sessions
- Support for high traffic capture limited only by SPDK and DPDK
- Replicated packets will be sent to another interface (SPAN)
- Will support ERSPAN (Encapsulated Remote SPAN)
- Will do full 1:1 packet capture or sampling (for e.g. 1 out of 64)
- Will do full packet or first segment (say, first 64 bytes)
- Support for Wireshark format (directly sends in Wireshark .pcap format to a remote destination)
- Multiple touch points for capture - Port, Port-VLAN, VLAN, L3, ACL, etc

Default user avatar 57012e2942

Tharaneedharan V. created project Replica - A Fast Packet Capture Mechanism

Medium 70e6b352 452f 468f aa92 e7e8e8b6b8f1

Replica - A Fast Packet Capture Mechanism

Introduction

Replica is an SPDK-based Packet Capture Mechanism for DPDK-based switch/router. This article covers the details about the need for a packet capture mechanism. and the design and features of Replica.

Problem

Packet Capture is an essential piece for development, testing and troubleshooting. It is essential that a good network device has robust packet capture mechanism. Many network devices either lack a good packet capture mechanism or need expensive devices.

Firehose

Debugging the firehose is not easy. The sheer bandwidth may make it impractical to store the packets that are arriving at high frequency. Obviously, filter mechanism such as Wireshark packet filter mechanism will not suffice.

DPDK

DPDK is a kit that uses commodity hardware such as Intel CPU and NIC to achieve near-ASIC network forwarding solution. DPDK uses smart techniques such as user-level, polled mode drivers, bulking, ring buffers, large page size, prefetch, efficient use of cache, pinning threads to core, smart software algorithms, NIC offload, etc. to achieve this.

SPDK

SPDK is an offshoot of DPDK. While DPDK is focused on network solutions, SPDK is focused on storage solutions. SPDK can offer near 100x compared to hard disk based Linux file system and near-10x improvements compared to SSD based Linux solution. Like DPDK, SPDK uses techniques such as user-level, polled mode drivers, efficient use of cache, pinning threads to core, etc. to provide an order of magnitude performance improvement.

Solution

Replica is a solution that offers a practical, cheap, robust, fast packet capture mechanism. It uses several techniques to achieve this:

  • Efficient filter mechanism
  • Fast handoff to the storage core avoiding
  • Multiple packet capture sessions
  • Ability to store full packet or partial packet (e.g. first 64 bytes)
  • Capture 1:1 packets or Packet Sampling (e.g. 1 out of 32)
  • Bloom filter support and/or Cuckoo filter support
  • Ability to identify packets of interest at several touch points: * Ingress or Egress * Port, VLAN, Port-VLAN * L2 or L3 * Flow Level * ACL level * QoS
  • Auxiliary Action support: Matching or non-matching is the trigger for packet capture. For e.g. capture all ACL-denied packets
  • Ability to build complex rules: E.g. capture first 32 bytes of 1 out of 64 packets that are specific to a flow.
  • Expanding SPAN concepts: While traditional SPAN is for replicating a port, we extend the concept to allow it to capture only first x bytes, sample, etc.
  • SPAN+ or storage: The destination is another port or storage
  • Support standard PCAP format for decoding/analyzing using Wireshark
    • Use of one or more cores simultaneously for packet capture

Summary: (to be removed if needed) SPDK-based Packet Capture Mechanism for DPDK-based switch/router

This feature will allow packet capture in various ways:

  • Using SPDK, it stores in disk in .pcap format
  • Advanced filter support using ACL, Flow and fuzzy logic (Bloom filter)
  • Support for multiple packet capture sessions
  • Support for high traffic capture limited only by SPDK and DPDK
  • Replicated packets will be sent to another interface (SPAN)
  • Will support ERSPAN (Encapsulated Remote SPAN)
  • Will do full 1:1 packet capture or sampling (for e.g. 1 out of 64)
  • Will do full packet or first segment (say, first 64 bytes)
  • Support for Wireshark format (directly sends in Wireshark .pcap format to a remote destination)
  • Multiple touch points for capture - Port, Port-VLAN, VLAN, L3, ACL, etc

No users to show at the moment.