Author: Alfredo Cardigliano

  • Home
  • Articles by: Alfredo Cardigliano
ntop

Introducing PF_RING FT: nDPI-based Flow Classification and Filtering for PF_RING and DPDK
Motivation Most network monitoring and security applications are based on flow processing, which is in practice the activity of grouping packets based on common attributes (e.g. source and destination IP, source and destination port, protocol, etc.) and do some analysis based on the collected information. What happens behind the scenes can be divided in a few major tasks: capturing raw packets decoding packet headers to extract flow attributes classify the packets based on flow attributes (optional) extracting also L7 protocol information. Introducing PF_RING FT With PF_RING, and later on with PF_RING ZC (Zero …
nScrub

Protecting a Web Server from DDoS Attacks Using nScrub
nScrub is a software-based DDoS mitigation system based on PF_RING ZC, able to operate at 10 Gbit full-rate (or multi 10 Gbit distributing the load across multiple modules) using commodity hardware, making it affordable in terms of price and deployment. nScrub is easy to configure even for beginners and companies with no experience with DDoS mitigation, it can be implemented as bump in the wire (i.e. no BGP or traffic tunneling necessary) or as router for on-demand traffic diversion. In this post we will go through the installation steps for …
ntop

Introducing n2disk 3.0
This is to announce n2disk 3.0 that is more than a maintenance release, as it: Consolidates pre-existing functionalities Adds extraction security features that pave the way to GDPR support. Adds flow offload support Simplifies storage management to avoid headaches during the n2disk configuration During our last meeting at Sharkfest EU we talked about Hardware Flow Offload. In essence, applications running on top of PF_RING and (supported) FPGA adapters are now able to offload flow processing to the network card that be programmed to: Keep flow state, doing (basic) flow classification in hw. Periodically …
Guides

PF_RING and Network Namespaces
Last week we made a couple of presentations at LinuxLab 2017 where we spoke about Containers, focusing on Network Namespaces support in PF_RING, and User and IoT-oriented Network Traffic Monitoring on Embedded Devices. With the advent of Containers, processes isolation has become extremely easy and effective, to the point that ordinary Virtual Machines have been reconsidered. Many ntop users today are running traffic monitoring applications in Docker, thus it’s important to understand how Containers work and how to make the best use of them. Network isolation is provided by Network Namespaces, a native feature of the …
ntop

Implementing PF_RING-based Hardware Flow Offload in Suricata
Last month we have integrated hardware flow offload in PF_RING 7.0. This week Alfredo has presented at Suricon 2017 the integration of hardware flow offload with Suricata and demonstrated that with this technology you can significantly reduce packet drops and CPU load. Below you can see how NetFlow traffic analysis and Suricata can both benefit from this work. Hardware Flow Offload with Netflow Hardware Flow Offload with Suricata Shall you be interested to read the full story, these are the presentation slides. We remind you that the PF_RING source code …
PF_RING

Introducing PF_RING 7.0 with Hardware Flow Offload
This is to announce a new PF_RING major release 7.0. In addition to many improvements to the capture modules, drivers upgrades, containers isolation, the main change of this release is the ability to offload flow processing to the network card (when supported by the underlying hw). Flow offload is a great feature for cutting the CPU load when using applications doing intensive flow processing, as it’s possible to let the network card handle activities like flow classification (update flow statistics) and shunting (discard or bypass flows according to the application …
ntop

Introducing nScrub: Powerful yet Affordable DDoS Mitigation
ntop has always tried to make the Internet a better place by developing many open-source network monitoring tools, and releasing all the software at no cost to non-profit and education. A few years ago, Qurium/VirtualRoad, a swedish foundation offering secure hosting to independent online news outlets and human rights organisations, contacted us. The reason was that after years mitigating attacks using proprietary appliances and servers running customised Linux kernel code based on netfilter, they reached the conclusion that those solutions were not affordable, or flexible, or fast enough. Their experience with …
n2disk

Introducing n2disk 2.8 with Microburst Detection
Together with PF_RING 6.6, today we also released n2disk 2.8. In this release we introduced support for microburst detection in order to spot traffic bursts, which is crucial in identifying potential capacity issues and troubleshooting packet loss in network equipments. We also improved our “fast” BPF engine extending the supported primitives, and improving the ability to match tunneled traffic. More tools have been added, for playing with the dump set, for instance for moving part of the dump set to an external storage, or deleting PCAP files in a specified time …
PF_RING

PF_RING 6.6 Just Released
After almost one year of development, this is to announce the release of PF_RING 6.6. In this release we have worked on different areas: Introduced nBPF, a software packet-filtering component similar to BPF, that is able to exploit hardware packet filtering capabilities of modern network adapters and transparently deliver these facilities to user-space applications such as nProbe and ntopng, or non-ntop applications such as Wireshark and Suricata. Improved PF_RING ZC Intel 40 Gbit drivers to transparently provide users that ability to use these NICs without having to pay attention to …
PF_RING

Positioning PF_RING ZC vs DPDK
Last week I have met some PF_RING ZC and DPDK users. The idea was to ask questions on PF_RING (for the existing ZC users) and understand (for DPDK users) whether it was a good idea to jump on ZC for future projects or stay on DPDK. The usual question people ask is: can you position ZC vs DPDK? The answer is not a simple yes/no. Let’s start from the beginning. When PF_RING was created, we have envisioned an API, persistent across network adapters, able to give people the ability to …
n2disk

Filtering Terabytes of pcaps using nBPF and Wireshark
In a previous post we introduced our new nBPF library that able to convert a BPF filter to hardware rules for offloading traffic filtering to the network card. We did not mention that the same engine can be used for accelerating traffic extraction from an indexed dump set produced by n2disk. n2disk is a traffic recording application able to produce multiple PCAP files (a per-file limit in duration or size can be used to control the file size) together with an index (for accelerating extraction) and a timeline (for keeping all the files in …
PF_RING

Introducing nBPF: line-rate hardware packet filtering (yes Wireshark at 100G is possible)
Modern network adapters such as Exablaze, Napatech and Silicom’s Intel FM10K, support hardware filters. Unfortunately every company has its own way to set filters, no unified API, and no support of any BPF-like filters. Most of the network monitoring community instead is used to set filters using BPF and thus powerful hardware filtering is present but unused. This has been the driving force for developing nBPF (ntop BPF). We have realized that most of the times filters include IP, port and protocol, that are exactly the features that hardware-based filters …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe