ZDNet.de: ntop: ein bedeutsames Tool fuer die Netzwerkanalyse
ZDNet.de speaks about ntop. …
PF_RING and Transparent Mode
PF_RING has been designed for enhancing packet capture performance. This means that the RX path must be accelerated, and in particular a way to accelerate this is by reducing the journey of the packet from the adapter to userland. This is obtained by allowing the driver to push the packet from the NIC to PF_RING directly and not through the usual kernel path. For this reason PF_RING has introduced an option named “transparent mode” whose goal is to tune how packets are moved from the NIC to PF_RING. This option …
Introducing PF_RING DNA (Direct NIC Access)
This is to announce the availability of PF_RING DNA (Direct NIC Access) that significantly increments performance (up to 80%) when compared with Linux packet capture and PF_RING (non DNA). PF_RING is polling packets from NICs by means of Linux NAPI. This means that NAPI copies packets from the NIC to the PF_RING circular buffer, and then the userland application reads packets from ring. In this scenario, there are two pollers, both the application and NAPI and this results in CPU cycles used for this polling; the advantage is that PF_RING …
ntop.org Joins the Open Information Security Foundation
Suricata is the next generation open source IDS/IPS developed byt the Open Information Security Foundation. It is a pleasure to announce that ntop has joined the core development team as the Linux version of Suricata is based on acceleration provided by PF_RING. In the near future PF_RING will be extended so that it can also accelerate packet transmission in order to move the Suricata IPS performance to the next level. More information can be found here. …
ntop.org Accredited as Endace Technology Partner
We’re proud to announce that ntop.org has been accredited as Endace technology partner as recognition for ntop contribution in the open-source world and also as guarantee for Endace customers that products such as ntop and nProbe run smoothly (and faster) on Endace DAG cards. …
Exploiting Commodity Multi-core Systems for Network Traffic Analysis
This article Improvement of libpcap for lossless packet capturing in Linux using PF_RING kernel patch positions PF_RING (3.x, so some changes are needed when using version 4) against the Linux standard PF_PACKET packet capture facility. In PF_RING v4, due to popular demand, I have decided to move some of the PF_RING accelerations into the NIC driver with the advantage of being now able to compile PF_RING against an unpatched kernel. The PF_RING distribution has now a drivers/ directory that contains accelerated drivers for popular 1 and 10 Gbit adapter. This …
ntop ASA Support
ntop supports NetFlow since many years including the latest v9/IPFIX versions. In 2005 Cisco ha releases a new line of x86 based security devices named ASA that unfortunately have not been supported by ntop/nProbe for a long time. As of today (June 15th 2010, SVN revision 4299) ntop/nProbe finally supports ASA. Please note that as ASA units do not export templates too often, ntop might need some time to start decoding flows (this until the template is received). Furthermore as the nature of ASA flows (e.g. notify when a new …
Port Mirror vs Network Tap
In order to analyze network traffic, it’s necessary to feed ntop/nProbe with network packets. There are two solutions to the problem: port mirror (also called SPAN in Cisco parlance) network tap Prior to explain the differences between these two solutions, it’s important to understand how ethernet works. In 100 Mbit and above, hosts usually speak in full duplex meaning that a hosts can both send and receive simultaneously. This means that on a 100 Mbit cable connected to a host, the total amount of traffic that a host can send/receive is …
IRQ Balancing
On Linux, interrupts are handled automatically by the kernel. In particular there's a process named irqbalancer that is responsible for balancing interrupts across processors. Unfortunately the default is to let all processors handle interrupts with the result that the overall performance is not optimal in particular on multi-core systems. This is because modern NICs can have multiple RX queues that work perfectly if cache coherency is respected. This means that interrupts for ethX-RX queue Y must be sent to 1 (one) core or at most to a core and its Hyper-Threaded (HT) companion. If multiple processors handle the same RX queue, this invalidates the cache and performance gets worse. For this reason IRQ balancing is the key for performance. In particular what I suggest is to have 1/2 (in case of HT) core(s) handle the same interrupt. For this reason on Linux interrupts are usually send to all processors hence /prox/irq/X/smp_affinity is set to ffffffff that means all processors. Instead as I have just stated above it's better to avoid that all processors handle all interrupts. Example
Read more