n2disk™

A multi-Gigabit network traffic recorder with indexing capabilities.


n2disk™ is a network traffic recorder application. With n2disk™ you can capture full-sized network packets at multi-Gigabit rate (above 10 Gigabit/s on adequate hardware) from a live network interface, and write them into files without any packet loss. n2disk™ has been designed to write files into disks for very long periods, you have to specify a maximum number of distinct file that may be written during the execution, and if n2disk™ reaches the maximum number of files, it will start recycling the files from the oldest one. This way you can have a complete view of the traffic for a fixed temporal window, knowing in advance the amount of disk space needed.
n2disk™ uses the industry standard PCAP file format to dump packets into files so the resulting output can be easily integrated with existing third party or even open/source analysis tools (like Wireshark).
n2disk™ has been designed and developed mainly because most network security systems rely on capturing full-size packets, since any packets may have been responsible for the attack or could contain the problems that we are trying to find. Netflow information is more manageable and requires less disk space to be stored, but in some cases, like deep-packet-inspection analysis or controlled traffic regeneration, it is not useful.
n2disk™ can be effectively used to perform numerous activities, among these:

  • Off-line network packets analysis by feeding a specialized tools like Snort.
  • Reconstruct particular communication flows or network activities.
  • Reproduce the previous captured traffic to a different network interface.

 

Main n2disk™ Features


The current n2disk™ version is much more than a simple packet-to-disk application. Some of the n2disk™ features include:

  • Fully user configurable.
  • Use of the standard PCAP file format (regular and with nanoseconds).
  • High-performance packet to disk recording.
  • BPF filters supports (using the same format as in the popular tcpdump tool) to filter out the unwanted network packets from the recording process.
  • Optimized BPF-like filters support, a faster replacement for BPF filters (a subset of the BPF syntax is supported), that can be used both in packet capture and post-capture filtering.
  • Multi-core support. n2disk™ has been designed with multicore architectures in mind. It uses at least 2 threads (one for the packet capture and one for the disk writing) and it is possible to further parallelize packet capture using multiple threads. The communication between threads has been carefully optimized.
  • PF_RING acceleration. n2disk™ exploit the packet capture acceleration offered both by standard PF_RING and PF_RING DNA.
  • Direct-IO disk access. n2disk™ uses the Direct IO access to the disks in order to obtain maximum disk-write throughput.
  • Real-Time indexing. n2disk™ is able to produce an index on-the-fly during packet capture. The index can be queried using a BPF-like syntax to quickly retrieve interesting packets in a specified time interval. Besides the per-dump-file index, n2disk™ can also produce a timeline, a way of keeping the whole captured traffic in chronological order. Using the utilities provided with n2disk™, it is possible to query the timeline for specific packets belonging to the whole dump set in a given time interval.

 

Performance


n2disk™ has been designed to keep up with multi-Gigabit speeds on commodity hardware.

Packet Size (Bytes) n2disk™ Sustained Throughtput with no packet loss
n2disk™ with DNA n2disk10g™ with DNA
fixed 64 7.94 Mpps [~5.33 Gbit] Wire rate
fixed 128 4.64 Mpps [~5.5 Gbit]
fixed 512 1.29 Mpps [~5.5 Gbit]
random 64-1500 857 Kpps [~5.5 Gbit]

The table above shows the result of a worst-case performance test using the following system configuration.

  • OS: Ubuntu 12.04
  • CPU: Intel(R) Xeon(R) E5-2630 @ 2.30GHz
  • Motherboard: Supermicro X9DRi-F
  • Memory: 16 GB
  • Card: Intel PCIe 82599 10 Gigabit
  • Disks: 8x 1TB 10K RPM SATA
  • Commands used:
    • n2disk -i dna0 -o /storage/ -p 1000 -b 2000 -q 1 -C 4096 -S 0 -c 1 -w 2
    • n2disk10g -i dna0 -o /storage/ -p 1000 -b 2000 -q 1 -C 4096 -S 0 -c 1 -w 2 -R 3,4,5

 

User’s Guide


For all the n2disk™ configuration options and performance optimisation techniques, please refer to the  n2disk™ User’s Guide.

 

Get It


n2disk™ is available in three flavours. You can test it as binary package or get a permanent license.

 

Version Max Dump Speed Linux Unix / OSX / Win32
n2disk1g 1 Gigabit Native PF_RING support. Basic libpcap-based packet capture.
Available on Request
n2disk 5 Gigabit Enhanced PF_RING support
(i.e. full packet capture acceleration).
Basic libpcap-based packet capture.
Available on Request
n2disk10g 10 Gigabit Multithreaded zero-copy packet capture. Not available.

Notes:

  • Test reports have been measured on Linux in the worst-case conditions (64 byte packets)
  • Dump speed depends on your disk setup and server being used.
  • You can use n2disk™ as software application or embedded on the nBox recorder.
  • Research and no-profict can have n2disk™ at no cost. Please contact us for details.