Author: Luca Deri

  • Home
  • Articles by: Luca Deri
nProbe

Using nProbe as NetFlow-Lite Cache
As previously stated on this blog, we have worked tightly with Cisco as nProbe has been selected as reference implementation for NetFlow-Lite flow conversion. Although NetFlow-Lite support has been added to nprobe since version 6.1.4 and it’s available on all supported platforms (both Unix and Windows), with nProbe 6.5 (just released) we have moved NetFlow-Lite support to the next level. This is because nProbe now features both a Specialized plugin for NetFlow-lite flow collection that increases of 5x times the collection performance. PF_RING kernel plugin (Linux only) that can convert …
PF_RING

Going beyond RSS (Receive-Side Scaling)
When RSS was introduced some years ago, operating systems had the chance to scale also when handling network packets as RSS allowed incoming packets to be distributed across processor cores. Unfortunately RSS uses a one-way hash, that while distributes packets heavenly across queues, it has some drawbacks. The main one is that if you have a connection A <-> B, packets A->B will go on queue X, and those of B->A on queue Y, where X <> Y. This is a major issue for applications, as you cannot assume that …
PF_RING

Packet Capture Performance at 10 Gbit: PF_RING vs TNAPI
Many of you are using PF_RING and TNAPI for accelerating packet capture performance, but have probably not tested the code for a while. In the past month we have tuned PF_RING performance and squeezed some extra packets captured implementing the quick_mode in PF_RING. When you do insmod pf_ring.ko quick_mode=1, PF_RING optimizes its operations for multi-queue RX adapters and applications capturing traffic from several RX queues simultaneously. The idea behind quick_mode is that people should use it whenever they are interested just in maximum packet capture performance, and do not need …
Announce

Power to see all
Almost a decade ago Dr Ian Graham was in Europe for a series of conferences and I have met him in person along with other people from Politecnico di Torino, that were developing winpcap (one of the key guys of the group, Loris Degioanni, at that time was visiting Endace, thus was not present at the meeting. Loris later become a successful entrepreneur having founded Cace, now Riverbed). For me it was a big pleasure to have such meeting, as Endace was in the early days (and also all of …
Announce

ntop at the Nagios World Conference Europe
PRESS RELEASE Bolzano April 13th 2011 ntop at the “Nagios World Conference Europe™” on May 12th at  Bolzano/Italy Luca Deri will be among the keynote speakers at the official European edition dedicated to the well-know Open Source monitoring solution After the American edition in Sào Paolo/Brazil, the European counterpart of the Nagios World Conference™ will be held on May 12th at Bolzano/Italy. Nagios partner Würth Phoenix, who will host the event has confirmed the participation of namable speakers such as Nagios founder Ethan Galstad, Nagios Plugin coordinator Ton Voon or …
nProbe

How to Monitor Latency Using nProbe
On May 12th in Bolzano (I) at the Nagios World Conference Europe,  I will give a speech about network and application latency monitoring using nProbe. This is an hot topic, in particular for those who think of NetFlow/IPFIX as just a way to count bytes and packets. NetFlow/IPFIX instead is (this is my opinion) an open protocol that can be used to carry monitoring data from observation points to monitoring systems. The fact that many probes export you just bytes 'n packets info, it's not a protocol limitation but a probe limitation. In this respect nProbe supports many extensions such as latency monitoring, information about packets out-of-order, retransmitted, fragmented, average flow packet size and many more. In particular, latency is computed both as network and application latency: Read more
nProbe

Tuning nProbe 6.4 Scalability and Performance
Release 6.3 of nprobe targeted IPFIX compatibility. In release 6.4.x (just introduced) the main focus has been on scalability and performance. Until 6.3, the nProbe architecture was not really exploiting multicore systems, due to heritage of previous versions. With this release nProbe reaches a new level as you can see from the graph below (traffic was generated using an IXIA 400, flows last 5 seconds, and are emitted in V5 format, PF_RING 4.6.3, Intel e1000e capture adapter with PF_RING-aware driver [no TNAPI]). Both graphs depict the sustained throughput rate (Y …
PF_RING

ntop and Silicom Inc join the forces
Since a few months ntop and Silicom have started to work together on various network-related topics. The idea is to enhance PF_RING and  TNAPI in order to offer better products and support for both the community and Silicom customers. Furthermore, Silicom produces very advanced products such as the content director card and the packet processor card, that could solve various network-related tasks including: packet mirroring, tapping, duplication packet steering QoS enforcement packet traffic analysis As these activities are performed in hardware, they operate at wire-speed (at both 1 and 10 …
nProbe

nProbe complies with the IPFIX specification
Last week I have participated to an IPFIX interoperability event held in Prague, right before the IETF 80. In the picture below you can see me between Benoit Claise (Cisco, one of the IPFIX/NetFlow fathers) and Jiri Novotni (Invea-Tech). nProbe 6.3.x has been successfully tested against all the available implementations including Vermont, SiLK, nfdump/IPFIX (Cesnet). nProbe has passed all the IPFIX interoperability tests as both probe (over SCTP, UDP, and TCP) and collector (UDP), dissecting both IPv4 and IPv6 traffic, and also converting NetFlow-Lite flows into IPFIX flows. Most of you …
PF_RING

Remote nsec TimeStamps using PF_RING and cPacket Devices
PF_RING supports nsec timestamps from some modern NICs, such as those based on the Intel 82580 (e.g. Silicom PE2G4i80). But NIC timestamps require installing and running the application on the machine where the adapter is installed. Furthermore, by the time the traffic gets from the wire to the the NIC, its temporal behavior might have been altered by queuing, buffering, and switching caused by SPAN ports or aggregation devices. cPacket offers products that deliver nanosecond accurate timestamps directly from the wire, before switching, queuing, or bufffering. cPacket inline hardware probes …
nProbe

nProbe IPFIX Interoperability Tests
Over the past month quite a lot of effort has been put on the IPFIX side of nProbe. Recently, nProbe has been successfully verified by Juniper as an IPFIX (in addition to v9) collector for flows generated by Juniper MX routers, and Cisco Catalyst 4948E switches. In order to further guarantee users that nProbe respects the IPFIX standards, nProbe will be tested against other IPFIX implementations at the IPFIX Interoperability Event that will take place next week in Prague. In the following months, ntop will also try to push in the …
PF_RING

Developing Monitoring Applications based on PF_RING
Many people use PF_RING just as a “better” libpcap. PF_RING is much more than that, as it can significantly simplify the design of network monitoring applications as well better exploit modern multi-core architectures and network adapters. For those willing to dive into PF_RING, I have released an updated user’s guide that can introduce you to the PF_RING API. Do not forget that there’s a detailed PF_RING tutorial available, as well several code examples for showing in practice what PF_RING can offer you. …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe