Author: Alfredo Cardigliano

  • Home
  • Articles by: Alfredo Cardigliano
ntop

Finding a Needle in a Haystack (was Traffic Disaggregation with Sub Interfaces in ntopng)
Network traffic moving across a link often contains various types of traffic, for example in large companies it can include a mix of traffic coming from: Employees network Core company servers Guests network Other Analysing the traffic as a whole is usually complicated and as a consequence many things are hard to see. It is more convenient to split it into smaller subsets based on traffic type and analyse it unbundled. This is because with a lot of heterogeneous traffic specific patters might be hard to be identified. In many …
n2disk

Combining Traffic Recording with Visibility at 100 Gbps
A few months ago, with ntopng 3.8, we introduced support for continuous traffic recording, that allows you to drill down historical data from the timeseries level up to raw packets. This is useful when troubleshooting a network issue or analysing a security event, by combining traffic visibility with raw traffic analysis. In order to record raw data ntopng leverages on the n2disk application, which is able to capture full-sized network packets at wire-speed up to 100 Gbps from a live network interface, and write them into pcap files without any packet …
n2disk

Building a (Cheap) Continuous Packet Recorder using n2disk and PF_RING [Part 2]
Continuous packet recorders are devices that capture raw traffic to disk, providing a window into network history, that allows you to go back in time when a network event occurs, and analyse traffic up to the packet level to find the exact network activity that caused the problem. n2disk is a software application part of the ntop suite able to capture traffic at high speed (it relies on the PF_RING packet capture framework, able to deliver line-rate packet capture up to 100 Gbit/s) and dump traffic to disk using the standard PCAP …
PF_RING

Introducing PF_RING Configuration Wizard
Getting started with PF_RING can be a bit tricky as it requires the creation of a few configuration files in order to setup the service, especially when ZC drivers need to be used. First of all it requires packages installation: PF_RING comes with a set of packages for installing the userspace libraries (pfring), the kernel module (pfring-dkms), and the ZC drivers (<driver model>-zc-dkms). Installing the main package, pfring, is quite intuitive and straightforward following the instructions available at http://packages.ntop.org , however installing and configuring the proper package when it comes to …
ntop

Introducing n2disk 3.2: towards 100 Gbit to disk
This is to announce a new n2disk release 3.2. This release, besides addressing a few issues, includes new juicy features: Multithreaded dump and support for multiple volumes. This is useful in a few cases: If you want to record traffic above 30-40 Gbit/s to HDDs or SSDs, you should pay attention to the RAID controller limit. In fact, even if you use many disks in a RAID 0 configurations, many controllers are not able to scale above 30-40 Gbit/s of sustained write throughput. Load-balancing traffic across multiple controllers could be …
ntop

Introducing PF_RING 7.4: PF_RING FT, Containers and Virtual Functions Support
This is to announce a new PF_RING major release 7.4. This release includes many improvements to the PF_RING FT library, which is now more mature thanks to new API functionalities and features that provide more flexibility. This release also addresses many issues, and moves a step forward in the same direction of release 7.2, which included full support for Containers and Namespaces, adding support for CoreOS containers and ZC Virtual Function drivers, technologies commonly available in cloud services. This is the complete changelog: PF_RING Library New pfring_open PF_RING_DO_NOT_STRIP_FCS flag to disable …
PF_RING

How to accelerate Bro with PF_RING FT
We discussed many times about the large quantity of work IDSs have to carry on, and the high CPU load they require, this is the case of Suricata due to the thousands of rules that need to be evaluated for every single packet, but this is also the case of the Bro Network Security Monitor. In a previous post we’ve seen How to accelerate Suricata with PF_RING FT in a few steps. In that guide we leveraged on the flow classification and L7 protocol detection provided by PF_RING FT, to …
ntop

Introducing PF_RING 7.2, including PF_RING FT and nBroker
This is to announce a new PF_RING major release 7.2 that includes: Support for Ubuntu 18 as well the latest Debian and CentOS kernels. Many improvements to the FPGA capture modules and the ZC library (that is now able to reserve head room for zero-copy traffic encapsulation/decapsulation, just to mention one). Full support for Containers and Namespaces. Besides many improvements and bug fixes, this release also introduces PF_RING FT, an highly optimized library that assists flow-processing application with L7 classification and filtering, and nBroker, a framework for hardware-based traffic steering and filtering …
PF_RING

How to accelerate Suricata, Bro, Snort with PF_RING FT
In a previous post we discussed the advantages of using specialized adapters featuring flow offload in hardware for accelerating IDS applications. What we have learnt is that IDSs are typically CPU-bound applications, and this is mainly caused by the thousands of rules that need to be evaluated for every single packet (of course in addition to packet capture). This is the case of Suricata, Bro, Snort and other IDS/IPSs as well security applications. More than 2/3 of the Internet traffic is multimedia traffic (mostly video, social networks and music streaming), consisting of a few …
PF_RING

Introducing nBroker: Traffic Steering and Filtering on Intel RRC (FM10K)
Exactly two years ago we introduced Intel FM10K (FM10000) support in PF_RING ZC. The Intel FM10K ethernet controller family supports 10/25/40/100 Gbit on the same NIC, at a convenient price (sub 1000$ range) and it powers NIC various models manufactured by Silicom Inc. The most interesting aspect of the FM10K is the programmability that this adapter provides. In fact this adapter integrates an internal switch attached to the external ports (those that are physically connected to the cables) and to the internal ports (towards the CPU, those seen by the host OS) …
ntop

Introducing PF_RING FT: nDPI-based Flow Classification and Filtering for PF_RING and DPDK
Motivation Most network monitoring and security applications are based on flow processing, which is in practice the activity of grouping packets based on common attributes (e.g. source and destination IP, source and destination port, protocol, etc.) and do some analysis based on the collected information. What happens behind the scenes can be divided in a few major tasks: capturing raw packets decoding packet headers to extract flow attributes classify the packets based on flow attributes (optional) extracting also L7 protocol information. Introducing PF_RING FT With PF_RING, and later on with PF_RING ZC (Zero …
nScrub

Protecting a Web Server from DDoS Attacks Using nScrub
nScrub is a software-based DDoS mitigation system based on PF_RING ZC, able to operate at 10 Gbit full-rate (or multi 10 Gbit distributing the load across multiple modules) using commodity hardware, making it affordable in terms of price and deployment. nScrub is easy to configure even for beginners and companies with no experience with DDoS mitigation, it can be implemented as bump in the wire (i.e. no BGP or traffic tunneling necessary) or as router for on-demand traffic diversion. In this post we will go through the installation steps for …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe