- Get Started
A multi-Gigabit network traffic recorder with indexing capabilities.
n2disk is a network traffic recorder application. With n2disk you can capture full-sized network packets at multi-Gigabit rate (above 10 Gigabit/s on adequate hardware) from a live network interface, and write them into files without any packet loss. n2disk has been designed to write files into disks for very long periods, you have to specify a maximum number of distinct file that may be written during the execution, and if n2disk reaches the maximum number of files, it will start recycling the files from the oldest one. This way you can have a complete view of the traffic for a fixed temporal window, knowing in advance the amount of disk space needed.
n2disk uses the industry standard PCAP file format to dump packets into files so the resulting output can be easily integrated with existing third party or even open/source analysis tools (like Wireshark).
n2disk has been designed and developed mainly because most network security systems rely on capturing full-size packets, since any packets may have been responsible for the attack or could contain the problems that we are trying to find. Netflow information is more manageable and requires less disk space to be stored, but in some cases, like deep-packet-inspection analysis or controlled traffic regeneration, it is not useful.
n2disk can be effectively used to perform numerous activities, among these:
- Off-line network packets analysis by feeding a specialized tools like Snort.
- Reconstruct particular communication flows or network activities.
- Reproduce the previous captured traffic to a different network interface.
Main n2disk Features
The current n2disk version is much more than a simple packet-to-disk application. Some of the n2disk features include:
- Fully user configurable.
- Use of the standard PCAP file format (regular and with nanoseconds).
- High-performance packet to disk recording.
- BPF filters supports (using the same format as in the popular tcpdump tool) to filter out the unwanted network packets from the recording process.
- Optimized BPF-like filters support, a faster replacement for BPF filters (a subset of the BPF syntax is supported), that can be used both in packet capture and post-capture filtering.
- Multi-core support. n2disk has been designed with multicore architectures in mind. It uses at least 2 threads (one for the packet capture and one for the disk writing) and it is possible to further parallelize packet capture using multiple threads. The communication between threads has been carefully optimized.
- PF_RING acceleration. n2disk exploit the packet capture acceleration offered both by standard PF_RING and PF_RING DNA.
- Direct-IO disk access. n2disk uses the Direct IO access to the disks in order to obtain maximum disk-write throughput.
- Real-Time indexing. n2disk is able to produce an index on-the-fly during packet capture. The index can be queried using a BPF-like syntax to quickly retrieve interesting packets in a specified time interval. Besides the per-dump-file index, n2disk can also produce a timeline, a way of keeping the whole captured traffic in chronological order. Using the utilities provided with n2disk, it is possible to query the timeline for specific packets belonging to the whole dump set in a given time interval.
n2disk has been designed to keep up with multi-Gigabit speeds on commodity hardware.
|Packet Size (Bytes)||n2disk Sustained Throughtput with no packet loss|
|n2disk with DNA||n2disk10g with DNA|
|fixed 64||7.94 Mpps [~5.33 Gbit]||Wire rate|
|fixed 128||7.89 Mpps [~9.34 Gbit]|
|fixed 512||Wire rate|
The table above shows the result of a worst-case performance test using the following system configuration.
- OS: Ubuntu 12.04
- CPU: Intel(R) Xeon(R) E5-2630 @ 2.30GHz
- Motherboard: Supermicro X9DRi-F
- Memory: 16 GB
- Card: Intel PCIe 82599 10 Gigabit
- Disks: 8x 1TB 10K RPM SATA
- Commands used:
- n2disk -i dna0 -o /storage/ -p 1000 -b 2000 -q 1 -C 4096 -S 0 -c 1 -w 2
- n2disk10g -i dna0 -o /storage/ -p 1000 -b 2000 -q 1 -C 4096 -S 0 -c 1 -w 2 -R 3,4,5
For all the n2disk configuration options and performance optimisation techniques, please refer to the n2disk User’s Guide.
|Version||Max Dump Speed||Linux||Unix / OSX / Win32|
|n2disk1g||1 Gigabit||Native PF_RING support.||Basic libpcap-based packet capture.
Available on Request
|n2disk||5 Gigabit||Enhanced PF_RING support
(i.e. full packet capture acceleration).
|Basic libpcap-based packet capture.
Available on Request
|n2disk10g||10 Gigabit||Multithreaded zero-copy packet capture.||Not available.|
- Test reports have been measured on Linux in the worst-case conditions (64 byte packets)
- Dump speed depends on your disk setup and server being used.
- You can use n2disk as software application or embedded on the nBox recorder.
- Research and no-profict can have n2disk at no cost. Please contact us for details.