Replica is an SPDK-based Packet Capture Mechanism for DPDK-based switch/router. This article covers the details about the need for a packet capture mechanism. and the design and features of Replica.
Packet Capture is an essential piece for development, testing and troubleshooting. It is essential that a good network device has robust packet capture mechanism. Many network devices either lack a good packet capture mechanism or need expensive devices.
Debugging the firehose is not easy. The sheer bandwidth may make it impractical to store the packets that are arriving at high frequency. Obviously, filter mechanism such as Wireshark packet filter mechanism will not suffice.
DPDK is a kit that uses commodity hardware such as Intel CPU and NIC to achieve near-ASIC network forwarding solution. DPDK uses smart techniques such as user-level, polled mode drivers, bulking, ring buffers, large page size, prefetch, efficient use of cache, pinning threads to core, smart software algorithms, NIC offload, etc. to achieve this.
SPDK is an offshoot of DPDK. While DPDK is focused on network solutions, SPDK is focused on storage solutions. SPDK can offer near 100x compared to hard disk based Linux file system and near-10x improvements compared to SSD based Linux solution. Like DPDK, SPDK uses techniques such as user-level, polled mode drivers, efficient use of cache, pinning threads to core, etc. to provide an order of magnitude performance improvement.
Replica is a solution that offers a practical, cheap, robust, fast packet capture mechanism. It uses several techniques to achieve this:
- Efficient filter mechanism
- Fast handoff to the storage core avoiding
- Multiple packet capture sessions
- Ability to store full packet or partial packet (e.g. first 64 bytes)
- Capture 1:1 packets or Packet Sampling (e.g. 1 out of 32)
- Bloom filter support and/or Cuckoo filter support
- Ability to identify packets of interest at several touch points:
* Ingress or Egress
* Port, VLAN, Port-VLAN
* L2 or L3
* Flow Level
* ACL level
- Auxiliary Action support: Matching or non-matching is the trigger for packet capture. For e.g. capture all ACL-denied packets
- Ability to build complex rules: E.g. capture first 32 bytes of 1 out of 64 packets that are specific to a flow.
- Expanding SPAN concepts: While traditional SPAN is for replicating a port, we extend the concept to allow it to capture only first x bytes, sample, etc.
- SPAN+ or storage: The destination is another port or storage
- Support standard PCAP format for decoding/analyzing using Wireshark
- Use of one or more cores simultaneously for packet capture
Summary: (to be removed if needed)
SPDK-based Packet Capture Mechanism for DPDK-based switch/router
This feature will allow packet capture in various ways:
- Using SPDK, it stores in disk in .pcap format
- Advanced filter support using ACL, Flow and fuzzy logic (Bloom filter)
- Support for multiple packet capture sessions
- Support for high traffic capture limited only by SPDK and DPDK
- Replicated packets will be sent to another interface (SPAN)
- Will support ERSPAN (Encapsulated Remote SPAN)
- Will do full 1:1 packet capture or sampling (for e.g. 1 out of 64)
- Will do full packet or first segment (say, first 64 bytes)
- Support for Wireshark format (directly sends in Wireshark .pcap format to a remote destination)
- Multiple touch points for capture - Port, Port-VLAN, VLAN, L3, ACL, etc