ntop

SFProbe: Embedding nProbe on an SFP

admin — Sun, 19 Feb 2012 18:31:52 +0000

In 2004 my friend Alex Tudor of Agilent involved ntop on a very challenging project. The idea was to monitor the network from the exact place where packets were originated. In fact popular network taps and span ports are not the right tools as they are added to an existing network (i.e. the network does not need them, but probes do need them). The same applies to active monitoring: traffic should be generated from the right place. So if you want to see the router-to-router latency you should let the router ping the other router, and not an external PC connected to such router. To make this long story short, Agilent decided to put the probe on the best place: namely on the SFP. This is because network equipment need SPFs and putting the intelligence there means that the probe is on the equipment side, on a vendor-independent place. You can imagine that we were involved on the software side (unfortunately we can’t build hardware here) and Agilent on the hardware side. After 6 years since the beginning of the project, JDSU (the former Agilent group running the project was incorporated on that company) has finally made the magic.They managed to squeeze everything into an ASIC chip and what we prototyped so many years ago is finally a product. Obviously this product is ntop-friendly as nProbe is a JDSU PacketPortal-Validated application. This means that using nProbe with PacketPortal you can analyze not just Internet traffic, but also Triple Play and mobile network traffic including LTE (didn’t you know nProbe was able to do that?).

JDSU has funded many nProbe developments including the VNIC integration features (VLAN tags used as netflow interface id), and if nProbe moved off a research project into a more industry-oriented (yet open source) solution it’s also thanks for all the comments we received during this project. If interested, you can visit the PacketPortal page (click on the “Related Products” for jumping to nProbe). Many thanks to Alistair Scott of JSDU for making all this happen.

Packet Monitoring using ntop and Cisco ON100

admin — Wed, 15 Feb 2012 19:52:39 +0000

From time to time, Cisco builds ntop-friendly products. This is the time of the Cisco ON100 network agent.

This tiny device that can fit on your hand, has been integrated with ntop for the purpose of traffic monitoring as you can read on this technical note Enabling ntop Packet Monitoring with Cisco OnPlus Service.

ntop is an optional application watching the second LAN port (Monitor port). The Cisco cloud service provides a web tunnel back to the ON100 to ntop’s web service. No data is interpreted, as ntop does that. This way end users can use ntop application without needing to invest in a PC. The ON100 unit has lots of CPU/RAM and ntop seems to behave very well. Since customers can use either (or both) port mirroring or NetFlow, everyone is happy.

You can find more about ntop and ON100 at this discussion page.

Precise Interface Merging Without Hardware Timestamps

admin — Wed, 08 Feb 2012 23:00:27 +0000

In network monitoring it is very common to use taps for duplicating network traffic (RX and TX directions).

Taps are important as they allow network probes to operate passively without interfering with network operations. The two traffic directions (A to B and B to A) are plugged into two network ports of the probe. Having the two directions separated has advantages (e.g. packets are not mixed across directions) and disadvantages. The main disadvantage is that when reading packets from the two interfaces, it is not possible to know which packet out of the two directions arrived first. For many applications (e.g. NetFlow traffic monitoring) this is not a problem, but for some others it is necessary to know the exact order of the packets. This is because if two hosts, one on the A side and the other on the B side, communicate over a protocol that has some kind of state, the probe must see messages in the exact order they hit the wire. If this does not happen, it might be confused and not operate as expected. We call this precise interface merging (PIM).

One of the myths about PIM is that it is necessary to use costly hardware timestamp-based NICs that are able to know the exact time (usually with a precision of 50 or 100 nsec) when incoming packets hit the probe interface. While hardware timestamps can definitively be used for PIM, we claim that they in practice are not necessary as commodity adapters with DNA and without hardware timestamps are enough for this task. We’re now going to explain why this statement holds.

With the advent of PF_RING DNA, it is possible to capture packets on multiple interfaces at line rate 1/10 Gbit with no loss. At 10 Gbit line rate, the adapter receives a packet every 67.2 nsec (1 sec /14.880.000 pps). Modern adapters as those based on the Intel 82599 chip can buffer up to 4096 packets in memory that is 275.2 usec (4096 * 67.2). As DNA operates at line rate, it means that it is able to consume packets as fast as the network (otherwise we wouldn’t be able to operate at line rate). With DNA we have written an example application named pfcount_aggregator that is able to read packets from two interfaces simulatenously. Using this application it is possible to read packets in order as two peers (one on the A and the other on the B side) that exchange data over a state-machine based protocol (i.e. A sends a request, and B replies with a response to the previous request) such as GTP can safely assume that packets are read in order by the aggregator. This is because the time it takes for a request (as seen on the first tap-ed interface) to go from A to B, and the response from B to A (as seen on the second tap-ed interface) is definitively more (in particular for a WAN) than 275.2 usec. This means that by the time the aggregator has read the request, it has also read all the following packets (up to the buffer length) and thus it’s impossible to read the response packet before the request. Basically it’s impossible for the probe to see the response before the request when an application such as pfcount_aggregator is used. Note that this is as such, because of DNA as with the NAPI-based polling model where interfaces can be polled sequentially, this property might not be true.

On a nutshell hardware timestamps and costly NICs are not necessary for PIM. This contrary to the common belief that without them PIM wouldn’t happen. Juvenal said 2000 years ago: Quis custodiet ipsos custodes? Have fun with DNA and commodity adapters.

Say hello to nDPI (Network DPI)

admin — Fri, 03 Feb 2012 11:57:58 +0000

The equation “port = (application) protocol” no longer holds. DPI (Deep Packet Inspection) is the way to detect known protocols on non-known ports (e.g. http on ports other than 80) and traffic on know port that is not the one we expect (e.g. skype on port 80). On a nutshell, we need to look at packet content and see what’s inside. P2P protocols have been designed from day one with the ability to circumvent network policies in order to reach their peers, and they are good example of places where DPI can help.

Unfortunately there are very few DPI libraries freely available on the Internet, and most of the time they support “common protocols” (e.g. SMTP, DNS) that are not so challenging. On the other hand popular protocols such as HTTP cannot longer be defined a protocol. We believe that Facebook, Twitter, Netflix and many others are not just sub-HTTP protocols (technically they are of course) but first-class protocols. As we have not found any reasonable DPI library freely available, we decided to create our own starting from OpenDPI that is a good starting point but that lacks many interesting protocols (e.g. Skype) as they are available on the commercial library version. This has been the motivation behind nDPI.

nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. We have added support for many popular protocols such as Twitter, Skype BitTorrent (major enhancements) and also business protocols such as Citrix.

We plan to maintain this library free of charge and updated as new protocols (versions) come out. But on the other hand we need support from the community for tracking bugs and adding extensions. More information can be found at the nDPI home page.

DNA vs netmap

admin — Fri, 27 Jan 2012 21:10:03 +0000

In the past months I have received a few emails about how to position DNA with respect to netmap. To many people they look like two competing solutions, but in reality they are just two solutions to the same problem. Yesterday I had a nice meeting with Luigi Rizzo, the author of netmap.

I personally know Luigi since almost 15 years as we both live pretty close. The first time I saw him (1999 or so) he was hacking a driver for a CD-ROM drive on FreeBSD while speaking with me. Impressive. He was telling me about projects he previously did, including a PC-based bridge able to run a few university departments. I have to admit that if I have started to code in the kernel, it’s also because he has inspired me showing that the kernel was a radical new (for me) way of looking at things. I decided to go for Linux, he’s a recognized FreeBSD contributor, but our view are not that far.

Even if DNA and netmap have been developed in totally independent ways, they solve the same problem: how to move packets back/forth a network adapter without using too many CPU cycles. And I believe it’s no surprise that the performance of DNA and netmap is basically the same. So yesterday we’ve not discussed about who’s faster, but we talked about where we wanted to drive our technologies.

As you can see from the backboard (pictures are courtesy of our common friend Gianmarco), we have some ideas on the next thing to do. First of all, both DNA and netmap are not the ultimate goal, but instead some enabling technologies for improving networking on operating systems. They are not revolutionary in the sense that the idea of memory mapping is out for years, but companies like Endace and Napatech (that used it for so long time) have been unable to use it properly and thus drive innovation anywhere. If you look at at their technology 15 years ago and today, you will see that nothing changed: just pass me the packet and I will do the rest. In my view (and I think I can also mostly speak for Luigi), we need to go beyond simple packet juggling. Modern network and applications are significantly different from similar applications developed in the last decade. Operating systems changed too, and thus it’s time to rethink a few things, and not just to wait until somebody else would do that. Stay tuned!

Using nProbe for Solving General Traffic Monitoring Tasks

admin — Sun, 08 Jan 2012 23:18:49 +0000

Most people use nProbe just as a basic NetFlow/IPFIX probe where traffic monitoring is limited to packet header analysis, without further dissecting protocols. This practice is very common inside the NetFlow community and it’s one of the reasons why flow-based analysis has not changed much since its inception. Fortunately nProbe can do much more than this (e.g. it can inspect traffic on tunnels, or geo-locate flow peers), and below are just some use cases:

Browsing the Internet is slow, some URLs cannot be accessed
Most likely the DNS is not working perfectly, is either unresponsive or slow. With nProbe you can enable the DNS plugin so that you can monitor the DNS queries/responses as well the response time.
Monitor HTTP latency
HTTP is a pervasive protocol, also used by non-web applications. When latency of selected URLs increases, the services relying on it are affected as well the user experience. nProbe allows HTTP URLs to be monitored by analyzing the service time as well computing the network latency, so that network administrators can figure out if the problem is on the web server or on the network. Furthermore for advanced HTTP analysis or for reconstructing HTTP traffic communications, nProbe can generate comprehensive traffic traces in text format that could be used for pinpointing the problem.
SSL/HTTPS Monitoring
In addition to HTTP, nProbe can also analyze HTTPS traffic. SSL certificates are decoded, thus it is possible to figure out whether a certain HTTPS connection is used for home-banking or for accessing web-mail. Being able to identify the site we’re connecting to, it’s useful for detecting SSL connections that are used to tunnel out traffic and thus violate the network policy. If the user can supply the private SSL key (e.g. we decide to monitor our web site), nProbe can fully decode the HTTPS traffic and thus generate the same statistics produced for HTTP.
Application Detection
Since the end of last year, nProbe supports application detection by means of an open-source DPI library we’re developing. As we’re supporting more that 120 application protocols (including popular applications such as Skype, BitTorrent, Facebook, Twitter and YouTube), it’s very easy to know which portion of bandwidth is used by a specific protocol, what application protocol is using port X, and also for detecting known protocols on non-standard ports (e.g. detect HTTP on ports other than 80, 3128, 8080) that might indicate a security issue.
VoIP Traffic Analysis
nProbe natively detects SIP/RTP traffic and produces CDR (Call Data Records) including voice quality parameters (e.g. jitter, packet loss, and packets out of order) that can be both dumped on disk/database and also exported via NetFlow. This means that you can create a permanent VoIP traffic monitor application relying on nProbe’s traffic analysis.

This year we are planning to introduce selected extensions on nProbe that could further simplify network traffic analysis. Some of them include:

Emit Flows on Demand
In NetFlow, flows are always generated when a flow expires. This puts a lot of pressure on collectors that have to discard unwanted flows. We are planning to enhance nProbe so that you can specify which conditions must be met in order nProbe to emit a flow. This would allow for instance to emit only those flows with specific characteristics (e.g. skype flows or flows with high latency) thus saving bandwidth and reducing the load on collectors.
Create Custom NetFlow Fields
Many collectors are a simple dump-to-database and select-data-from-database applications with a web GUI. As these application are not able to do complex operations, nProbe will offer the ability to define custom fields containing pre-computed values on which collectors can rely. For instance it will be possible to define a new numeric field named FLOW_QUALITY that indicates whether such flow needs to be further analyzed as it has been characterized by high latency, or too many packets out-of-order/retransmitted, or too many fragments.

You can do many things exploiting nProbe beyond the basic NetFlow traffic analysis that all flow probes do. And if a given features it is not present, it can be developed and added to nProbe by coding it onto a plugin. This is true beauty of open-source software.

PF_RING in 2012

admin — Wed, 14 Dec 2011 23:12:18 +0000

From time to time the kernel folks are sick and tired of people saying PF_RING is better than what we have upstream, it really isn’t. Fortunately (for PF_RING) the story is a bit different not to mention that some of PF_RING features such as clustering have probably inspired AF_PACKET too.

For 2012 we have planned to make some enhancements to PF_RING and (we’ll be doing much more but this is just the next thing that will see the light) add one of the last missing features you can find on costly FPGA-based NICs. No, I am not talking about multi-10G packet capture/transmission speed, low latency, IDS/IPS acceleration, virtual machine support, or hardware packet filtering: all this is already part of PF_RING. What we are currently implementing is the ability to support TX and RX hardware timestamps as those offered by Intel 82580 NICs. Some of you might wonder why it’s so important. The answer is manyfold:

RX and TX timestamps are the recipe for computing one way delay.
The use of splitter or network partitions prevents receiving all packets from a single NIC. As network monitors might need to know which packet came first out of N interfaces, the only way of doing that is via packet timestamps that can enable us comparing packet arrival timestamps.

Synchronizing the time on a LAN is also challenging and we’re doing our best to make PF_RING a good friend of PTP so that in addition of saving money with costly GPS-based NICs you can use a single source of time at almost no cost. So PF_RING is not just packet capture, because packet capture (i.e. put a received raw packet onto a buffer) is just the first step for network monitoring/security and not the ultimate goal in life.

PS. We don’t like flames. We would have liked to merge PF_RING (or parts of it) with the vanilla kernel some years ago, but this idea was not liked by the kernel developers. We still hope that this will happen at some point.

Unveiling Application Visibility in ntop and nProbe (both in NetFlow v9 and IPFIX)

admin — Tue, 29 Nov 2011 22:36:52 +0000

For years, applications have used static ports so that port 80 means HTTP, and port 25 SMTP. Unfortunately this 1:1 mapping has been relaxed years ago with dynamic ports so that a given service could use a range of ports (e.g. for circumventing security policies) or even a fully dynamic port (e.g. see portmap). The opposite is also true, namely HTTP can run on ports other than 80, so that you can see it for instance on port 3000 that is the default HTTP port in ntop. HTTP is also a good example of a popular protocol that is used also for non-hypertext based applications, including DropBox, Twitter and even Skype. The conclusion is that unless we inspect the data payload, we cannot decide which protocol is used by a given protocol.

Until release 4.1, ntop allowed users to identify IP-based protocol by specifying with -p the list of ports. Today this association port/protocol is no longer true as we stated earlier in this post. On the other hand people want to know whether most of the traffic on their LAN is produced by FaceBook or BitTorrent, or if some “smart” user is using HTTP on port 1234 to circumvent the company HTTP filtering proxy. For this reason as of ntop 4.1.x and nProbe 6.7.x we have decided to give people visibility of application protocols so that their users can be aware of what’s flowing on the network.

After some internal libraries, tests with third party signatures (e.g. l7-filter), and public signatures found on the Internet, we have decided to use an open source library named OpenDPI as starting point. This library contains many protocols, but it lacks popular ones (e.g. Skype) or business protocols (e.g. Microsoft Exchange or Oracle). I have contacted the authors asking whether in case of extensions, they would have accepted the patches for inclusion. Unfortunately nobody answer, and then we forked the library and created an ntop-based version of OpenDPI you can find here, that already includes many new protocols including Skype, FaceBook and Twitter. Note that technically speaking FaceBook is not a protocol (it’s just HTTP/HTTPS) but we consider it as an application protocol (or a HTTP sub-protocol if you wish) because we want to distinguish it from other HTTP-based applications.

The above picture shows the current development version of ntop how detects and depicts application protocol. In nProbe (as of 6.7 version) we have also added application visibility in both NetFlow v9 and IPFIX by adding two new information elements:

[NFv9 57590][IPFIX 35632.118] %L7_PROTO                  	Layer 7 protocol (numeric)
[NFv9 57591][IPFIX 35632.119] %L7_PROTO_NAME             	Layer 7 protocol name

This means that with nProbe you can detect application protocol and send it to a V9/IPFIX compliant flow collector (including ntop).

So far we support over 125 application protocols, including Gmail, Google Maps, BitTorrent, Skype, VNC and VoIP protocols. We’re adding new protocols quite often, so you can be sure that your favorite protocol will be soon detected.

Credits: many thanks to a french company (that doesn’t like to be mentioned publicly) for funding this work.

Exploiting Hardware Filtering in PF_RING-aware apps, Snort…

admin — Tue, 15 Nov 2011 17:09:24 +0000

Introduction

PF_RING filters have been designed to be efficient and versatile. PF_RING-based applications can use them for both reducing the amount of packets they need to process, and passing incoming packets to kernel plugins for further processing.

Years ago, hardware packet filtering was limited to costly FPGA-based NICs, whereas today it is available also on commodity adapters such as Silicom 1/10 Gbit Director card, and Intel 82599-based 10 Gbit network adapters.

Filtering in PF_RING 5.2

Although past PF_RING versions supported limited hardware filtering, in PF_RING 5.2 we have completely redesigned packet filtering so that applications can use a single and consistent packet filtering API, letting PF_RING do the magic based on the hardware NIC being used. This means that you need to code the application once, regardless of the type of NIC being used, and let PF_RING set the native filter type. As you can see from the figure below there are many combinations we support in PF_RING, and using a single API is pre-requisite for avoid wasting time supporting all of them.

When you set a filter, you can either specify it as NIC native filter (e.g. silicom_redirector_hw_rule) or as PF_RING generic filter (e.g. filtering_rule/hash_filtering_rule). In the former case you have full control over the filter at the cost of being unable to seamlessly run the code over various adapter types. In the latter case, you code once and let PF_RING convert the filter format into native, hardware filter, based on the NIC type you use.

Although all hardware filter types are very efficient being them executed in hardware, they are not all alike. As of today we support:

82599-based NICs (see the Intel 82599 datasheet for more details)

Up to 32k FlowDirector filters (IPv4/v6 hash_filtering_rule in PF_RING parlance)
Up to 128 5-tuple filters (IPv4/v6 filtering_rule in PF_RING parlance)

Silicom Director

Up to 1’000 filters per port (IPv4-only flexible filters)

In the case of Silicom Director, it is also possible to execute in hardware actions across ports (e.g. mirror packets matching a given filters across ports); on non-Director NICs you can do that too at the cost of doing it in the CPU.

Using Hardware Filters

In order to demonstrate the power and usefulness of PF_RING filters, we have enhanced the pfcount demo application so that it adds a filter (-u command line option) for dropping incoming packets. The pfcount_82599 demo application shows how to set native filters.

Hardware Filtering in Snort

For all snort users, we have enhanced our PF_RING DAQ module, so that snort can transparently set “drop filters” whenever bad packets are detected. This is a fantastic way to address DDoS attacks and drop in hardware nasty packets that would waste too many CPU cycles.As snort PF_RING DAQ can work in both IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) mode, so hardware filtering in IPS mode is a very nice thing to have.

If You Don’t Own a Hardware-Filtering NIC…

Software PF_RING filters are still enabled when hardware filtering is used. This because it is not always possible to filter all the traffic you would like in hardware. So you can use PF_RING filtering as you have done so far, although you have to be aware that switching to a hardware filtering NIC allows your CPU to offload filters to the NIC and thus preserve precious CPU cycles for packet processing.

Notes on 82599 filters

In order to enable hardware filters you need to load the ixgbe module with specific parameters. Example: insmod ixgbe.ko RSS=0,0,0,0 FdirMode=2,2,2,2 FdirPballoc=3,3,3,3
Filters are not used just for pass/drop actions, but also for steering packets to specific cores/RX queues. For instance you can say: all incoming TCP packets on port 80 must be diverted to RX queue 3. So you can bind you HTTP analysis application to queue ethX@3 and forget all other queues.
You can simultaneously set both 5-tuple and FlowDirector filters. However there are some limitations in the silicon, so please refer to the 82599 datasheet for more information about this subject.

Released PF_RING 5.1 and TNAPIv2

admin — Sun, 25 Sep 2011 22:12:01 +0000

PF_RING 5.1 is a maintenance release that addresses some issues we identified in 5.0 that we released early this month. We have listen to your comments and tried to improve our software applications both in terms of stability and speed.

In this release we introduce (PF_RING 5.0 was lacking TNAPI as we were busy coding this new TNAPIv2) a new version of TNAPI (v2) that has been completely rewritten based on the lessons learnt with DNA. The performance improvement with respect to v1 has been major. Just to give you an idea with a low end Core2Duo and a single RX queue, you can achieve wire-rate 1 Gbit packet capture (with v1 we stopped at 750 Kpps) and over 2.8 Mpps at 10 Gbit (with v1 we could’t go above 1 Mpps). TNAPI is now able to both receive and send packets; unfortunately we need to work a bit more on the PF_RING side in order to exploit TX, thus even if TNAPIv2 features packet transmission, we have not yet enabled until we complete developments on the PF_RING side.

We remind you that beside speed, the fundamental difference between DNA and TNAPI is that on DNA the interface is piloted by a single (i.e. quality one) user-space application, whereas TNAPI can be used to capture packets that will be dispatched to multiple PF_RING-based applications. The cost of dispatching is paid on performance as with DNA you can have wire speed with any packet size, whereas TNAPI features wire-rate at 1 Gbit and over 5 Mpps packet capture at 10 Gbit on low-end Xeon boxes. Please note that in order to use TNAPIv2 you must use PF_RING 5.1.

Finally, in order to figure out immediately what interface type we’re using, we have renamed the interfaces. The new standard for network interfaces is:

ethX: vanilla or PF_RING-aware driver
tnapiX: TNAPI driver
dnaX: DNA driver

For instance:

tnapi0    Link encap:Ethernet  HWaddr 00:1b:21:a1:cc:20
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:e0320000-e0340000 

tnapi1    Link encap:Ethernet  HWaddr 00:1b:21:a1:cc:21
          inet6 addr: fe80::21b:21ff:fea1:cc21/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:e0340000-e0360000