Author: Alfredo Cardigliano

  • Home
  • Articles by: Alfredo Cardigliano
PF_RING

Accelerating Snort, Bro and Suricata with PF_RING ZC
Over the past few months we have spent quite some time to accelerate popular open-source IDS/IPS with PF_RING ZC. The result is that you now have the option to select your favourite security product as we support all, at no cost, using PF_RING ZC in both IDS and IPS mode. From our benchmarks we have seen that the acceleration with respect to vanilla Linux AF_PACKET is good even using  standard (non ZC) PF_RING. We will provide some test results in the near future, but in the meantime we invite you …
n2disk

Building a (Cheap) 2×10 Gbit (Continuous) Packet Recorder using n2disk and PF_RING
Continuous packet recorders are devices that capture network traffic and save it to disk. The term continuous means that this activity is performed “continuously” until the device is active and not just for a few minutes. At ntop we have developed two companion applications to be used on a packet recorder: n2disk is a software application that captures network at line rate (multi 10 Gbit) and dumps it to disk on pcap format. During packet capture, n2disk can also: Create a pcap index to be used for searching specific packets …
PF_RING

How to Promote Scalability with PF_RING ZC and n2disk
The number of cores per CPU is growing at a rate governed by the Moore’s law. Nowadays even low-end CPUs come with at least 4/8 cores and people want to exploit all of them before buying a new machine. It is not uncommon to see people trying to squeeze on the same machine multiple applications (n2disk, nProbe, Snort, Suricata, etc.) that all need to analyze the same traffic, saving also money for network equipments for traffic mirroring (TAPs, etc.) while reducing complexity. Both PF_RING ZC and n2disk have been designed to …
PF_RING

PF_RING 6.0.2 Released: DKMS, Sysdig, Hardware Timestamps and much more
Today we have released a maintenance release of PF_RING that includes many fixes and enhancements. In particular: we have moved our binary packages over DKMS that will make them independent from kernel version that caused you to update whenever a new kernel version was released. Thanks to DKMS this is no longer necessary. We have added sysdig support into PF_RING, so that your PF_RING applications can open the virtual deveice “sysdig” for reading system events without requiring the sysdig library that adds complexity in code development Changelog: PF_RING Library New …
n2disk

Visualising n2disk Captured Traffic using CloudShark
Introduction ntop users are familiar with n2disk and the nBox web interface that ease its use. As you know, the nBox includes a small web-based tool that allows you to preview pcap contents.  This tool is good for having an idea of what a pcap contains but it not a fully fledged application. On the other hand CloudShark is the leading application for analysing traffic traces, and thus we have decided to leverage on it for offering the cheapest and most powerful solution for traffic-to-disk and pcap visualisation on the cloud. …
n2disk

Introducing on-the-fly 10 Gbit pcap compression on n2disk
Compressing pcap produced by n2disk is a good idea for a few reasons: It allows disk space to be saved as compressed data takes less space on disk. It enables the creation of cheaper packet recorder appliances as with the same hardware you can save more data onto disk and thus in some problem domain you can double the capacity of your existing box. As n2disk leaves some space in CPU cycles (in particular when used on top of Napatech adapters) we have room to compress and index packets on-the-fly …
PF_RING

Not All Servers Are Alike (With PF_RING ZC/DNA) – Part 3
We have already discussed on the first and second part of this post some common issues that might be encountered while doing high-performance packet processing. Most of the problems are related to multi-CPU servers (NUMA) and memory configuration. We have spent a lot of time creating the nBox web-GUI that is not just a graphical interface, but it is a way to automatically configure ntop applications as well report common configuration issues. For those who want to live without it, we have some additional lessons learnt to share. Lesson 1: Make sure all …
PF_RING

Migrating from DNA/Libzero to PF_RING ZC
Since the introduction of PF_RING ZC (Zero Copy), we have received many inquiries about migrating from DNA/LibZero to ZC. Said that at the moment we do not plan to discontinue DNA/LibZero, we would like to summarise the differences and ease you the migration: In PF_RING 5.x (pre-ZC) there were two driver families: DNA-drivers and PF_RING-aware drivers. With the former you could operate at line-rate with DNA/LibZero, with the latter the speed was limited and you were not able to use the packets from LibZero. In ZC, there is one driver family …
PF_RING

Introducing PF_RING ZC (Zero Copy)
NOTE: The new PF_RING home is hereAfter almost 18 months of development, we are pleased to announce the release of PF_RING ZC (Zero Copy). Based on the lessons learnt with DNA and libzero, we have decided to redesign from scratch a new consistent zero-copy API that implements popular network patterns. The goal is to offer you a simple API, able to deliver line-rate performance (from 1 to multi-10 Gbit) to network application developers. We have hidden you all the internals and low-level details, in order to create a developer-centric API …
Announce

Accurate 10 Gbit Traffic Reply Using disk2n
n2disk is a software application that allows to dump traffic to disk at line rate (10 Gbit full duplex) with high-accurate timestamps. This both using networks cards featuring hardware timestamps and also with software timestamps. Most companies focus just on capture to disk, whereas we believe that it is also compulsory  to provide solutions for traffic replay by exploiting these high-accurate timestamps that have been saved on pcap files. This activity is quite challenging. Replying traffic with high-precision timestamps it is necessary for instance whenever we want to reproduce exactly the …
nProbe

How to Balance (Mobile) Traffic Across Applications Using PF_RING
Traffic monitoring requires packets to be received and processed in a coherent matter. Some people are lucky enough to get all interesting packet on a single interface, but this is unfortunately not a common scenario anymore: The use of network taps split one full-duplex interface into two half-duplex interfaces each receiving a direction of the traffic. Standby interfaces, require traffic monitoring apps to surveil two interfaces, where traffic flows only on one interface at time. Asymmetric traffic (i.e. all protocols similar to HTTP where the traffic in one direction is …
PF_RING

Learning the PF_RING API
Since the initial version, PF_RING has supported the pcap API that is familiar to many developers. This has allowed people to seamlessly port existing apps on top of PF_RING, simply relinking their apps using the PF_RING-aware version of libpcap. Unfortunately the pcap API is able to exploit just a subset of the features available in the native PF_RING API as demonstrated by the various apps we have coded to show how to the native API works. In order to ease the development of new native PF_RING applications, we acknowledge it …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe