Author: Luca Deri

  • Home
  • Articles by: Luca Deri
PF_RING

Using Hardware Timestamps with PF_RING
Up to some years ago, hardware timestamps were available only on costly FPGA-based NICs. Slowly, NIC manufactures started to consider hw timestamps as an important feature, and they started to introduce them in new cards. As of today Silicom PE2Gi80, Intel 1 Gbit Ethernet Server Adapter i340 (1 Gbit) and Neterion X3110/X3120 (10 Gbit) offer off-the-shelf hardware timestamps. These cards do not feature a GPS connector, but support IEEE 1588 for clock synchronization. The accuracy of the hw timestamps of these cards ranges from 3 to 7 ns. PF_RING has …
Announce

Say hello to NetFlow-Lite (NFLite)
As you all know, NetFlow has been initially designed for routers (or L3 switches if you wish), contrary to sFlow that instead has been deployed mostly on switches. In this view, people use NetFlow just for monitoring internet traffic, as NetFlow is not supported across the product portfolio due to dedicated ASIC required. NetFlow-lite (first introduced with Catalyst 4948E) bridges the gap by providing a lightweight solution that allows capturing of important flow information through packet sampling mechanisms combined with the extensibility of NetFlow version 9 and IPFIX. What is NetFlow-Lite? In …
nProbe

Cisco(Live) and ntop
Just like Apple is the computer brand I use since 1985, for me Cisco is the networking company, the one that created the first routers and switches on which the Internet was built. It has been a great surprise when last summer I have been contacted by a Cisco representative, who has asked me whether I was interested in starting a new project on NetFlow. After the initial surprise, of course I have accepted, and now it’s a few months I work with (not for) Cisco on this nice and challenging …
PF_RING

PF_RING and transparent_mode
Many PF_RING users know that for avoid patching the Linux kernel, as of PF_RING 4.x packets are received though NAPI. This means that the packet journey is the same used in standard Linux, thus the performance improvement with respect to vanilla Linux is minimal (< 5%) although PF_RING allows to do many more things than the standard AF_PACKET. In order to boost performance PF_RING supports a parameter named transparent_mode that can be used when the module is loaded into the kernel as follows insmod pf_ring.ko transparent_mode=X where X can either …
nProbe

HTTP Traffic Analysis Using nProbe and Scrutinizer
Are you interested in getting URL information from NetFlow?  The nProbe NetFlow probe or the nBox can do it.  Paul at Plixer International recently wrote a blog on Recommended nProbe Templates.  For a foundation on this topic, check out his blog.  As an extension of his blog, I’ll explain how to get URLS from the nProbe. Scrutinizer from Plixer is the ideal tool for advanced IPFIX reporting and network traffic analysis. Below is a top domain report. For our company, the first page of this report is usually legitimate sites, …
ntop

ntop in 2011
Most of you know only small pieces of the ntop project. I have decided to prepare a few slides that you can use as tutorial for showing how the various project components can be used to efficiently monitor networks, and what you can expect in 2011 from this project (see for instance vPF_RING and n2disk). Happy new year. …
nProbe

How to Configure nProbe to Export URLs and Latency via NetFlow
Our friends at Plixer have written a nice article about how to use nProbe to export HTTP and latency information. Note that you can also use the nProbe http plugin to trace HTTP events and rebuild user sessions. This as netflow is not exactly the best protocol to use for exporting this information. The available options are: --http-dump-dir <dump dir> …
ntop

Monitoring Traffic Using ntop: Cisco Traffic Analyzer
Most network administrators use ntop for monitoring ethernet traffic. ntop can do much more than this and also monitor  Fibre Channel and SCSI traffic. Cisco Traffic Analyzer is a software product based on ntop whose goal is to give Cisco MDS 9000 users a view of the network traffic. Did you know that ntop can also do this? …
PF_RING

Using PF_RING with Snort and Suricata for IDS/IPS Acceleration
Some users are exploiting PF_RING acceleration to improve popular IDS/IPS applications such as Snort and Suricata. Suricata leveraged PF_RING since day one thanks to Will Metcalf, whereas I have added (again together with Will) support in snort using the DAQ library part of the 2.9 version. Acceleration does not mean just improved packet capture, but also the ability to fully exploit multicore architectures by spreading packets across multiple application instances. This is a unique feature that can’t be found in pcap-based libraries. This is an excerpt from the snort-users mailing …
PF_RING

Meet ntop at RIPE 61 Rome (15-19 November)
Those who are interested in hearing about high-speed packet capture and filtering and to monitoring in general, can show up at the next RIPE 61 meeting that till take place in Rome (15-19 November). I will be speaking about hardware packet filtering using commodity adapters and how this work can be used in real life, ranging from ntop/nProbe to snort and network troubleshooting. …
PF_RING

Improving snort performance using PF_RING and multi-queue adapters
As of PF_RING 4.5.x, the user-space tools part of PF_RING have been enhanced with native snort support. As of version 2.9, snort sits on top of a library called DAQ (Data Acquisition library) that creates a transparent layer between snort and the packet capture modules. PF_RING is now a first class citizen in DAQ, as in PF_RING/userland/snort you can find the PF_RING DAQ module. This modules not only allows snort to take advantage of PF_RING acceleration, but it allows to offload to PF_RING some of its processing tasks. For instance …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe