nProbe

Tuning nProbe 6.4 Scalability and Performance
Release 6.3 of nprobe targeted IPFIX compatibility. In release 6.4.x (just introduced) the main focus has been on scalability and performance. Until 6.3, the nProbe architecture was not really exploiting multicore systems, due to heritage of previous versions. With this release nProbe reaches a new level as you can see from the graph below (traffic was generated using an IXIA 400, flows last 5 seconds, and are emitted in V5 format, PF_RING 4.6.3, Intel e1000e capture adapter with PF_RING-aware driver [no TNAPI]). Both graphs depict the sustained throughput rate (Y …
PF_RING

ntop and Silicom Inc join the forces
Since a few months ntop and Silicom have started to work together on various network-related topics. The idea is to enhance PF_RING and  TNAPI in order to offer better products and support for both the community and Silicom customers. Furthermore, Silicom produces very advanced products such as the content director card and the packet processor card, that could solve various network-related tasks including: packet mirroring, tapping, duplication packet steering QoS enforcement packet traffic analysis As these activities are performed in hardware, they operate at wire-speed (at both 1 and 10 …
nProbe

nProbe complies with the IPFIX specification
Last week I have participated to an IPFIX interoperability event held in Prague, right before the IETF 80. In the picture below you can see me between Benoit Claise (Cisco, one of the IPFIX/NetFlow fathers) and Jiri Novotni (Invea-Tech). nProbe 6.3.x has been successfully tested against all the available implementations including Vermont, SiLK, nfdump/IPFIX (Cesnet). nProbe has passed all the IPFIX interoperability tests as both probe (over SCTP, UDP, and TCP) and collector (UDP), dissecting both IPv4 and IPv6 traffic, and also converting NetFlow-Lite flows into IPFIX flows. Most of you …
PF_RING

Remote nsec TimeStamps using PF_RING and cPacket Devices
PF_RING supports nsec timestamps from some modern NICs, such as those based on the Intel 82580 (e.g. Silicom PE2G4i80). But NIC timestamps require installing and running the application on the machine where the adapter is installed. Furthermore, by the time the traffic gets from the wire to the the NIC, its temporal behavior might have been altered by queuing, buffering, and switching caused by SPAN ports or aggregation devices. cPacket offers products that deliver nanosecond accurate timestamps directly from the wire, before switching, queuing, or bufffering. cPacket inline hardware probes …
nProbe

nProbe IPFIX Interoperability Tests
Over the past month quite a lot of effort has been put on the IPFIX side of nProbe. Recently, nProbe has been successfully verified by Juniper as an IPFIX (in addition to v9) collector for flows generated by Juniper MX routers, and Cisco Catalyst 4948E switches. In order to further guarantee users that nProbe respects the IPFIX standards, nProbe will be tested against other IPFIX implementations at the IPFIX Interoperability Event that will take place next week in Prague. In the following months, ntop will also try to push in the …
PF_RING

Developing Monitoring Applications based on PF_RING
Many people use PF_RING just as a “better” libpcap. PF_RING is much more than that, as it can significantly simplify the design of network monitoring applications as well better exploit modern multi-core architectures and network adapters. For those willing to dive into PF_RING, I have released an updated user’s guide that can introduce you to the PF_RING API. Do not forget that there’s a detailed PF_RING tutorial available, as well several code examples for showing in practice what PF_RING can offer you. …
PF_RING

Using Hardware Timestamps with PF_RING
Up to some years ago, hardware timestamps were available only on costly FPGA-based NICs. Slowly, NIC manufactures started to consider hw timestamps as an important feature, and they started to introduce them in new cards. As of today Silicom PE2Gi80, Intel 1 Gbit Ethernet Server Adapter i340 (1 Gbit) and Neterion X3110/X3120 (10 Gbit) offer off-the-shelf hardware timestamps. These cards do not feature a GPS connector, but support IEEE 1588 for clock synchronization. The accuracy of the hw timestamps of these cards ranges from 3 to 7 ns. PF_RING has …
Announce

Say hello to NetFlow-Lite (NFLite)
As you all know, NetFlow has been initially designed for routers (or L3 switches if you wish), contrary to sFlow that instead has been deployed mostly on switches. In this view, people use NetFlow just for monitoring internet traffic, as NetFlow is not supported across the product portfolio due to dedicated ASIC required. NetFlow-lite (first introduced with Catalyst 4948E) bridges the gap by providing a lightweight solution that allows capturing of important flow information through packet sampling mechanisms combined with the extensibility of NetFlow version 9 and IPFIX. What is NetFlow-Lite? In …
nProbe

Cisco(Live) and ntop
Just like Apple is the computer brand I use since 1985, for me Cisco is the networking company, the one that created the first routers and switches on which the Internet was built. It has been a great surprise when last summer I have been contacted by a Cisco representative, who has asked me whether I was interested in starting a new project on NetFlow. After the initial surprise, of course I have accepted, and now it’s a few months I work with (not for) Cisco on this nice and challenging …
PF_RING

PF_RING and transparent_mode
Many PF_RING users know that for avoid patching the Linux kernel, as of PF_RING 4.x packets are received though NAPI. This means that the packet journey is the same used in standard Linux, thus the performance improvement with respect to vanilla Linux is minimal (< 5%) although PF_RING allows to do many more things than the standard AF_PACKET. In order to boost performance PF_RING supports a parameter named transparent_mode that can be used when the module is loaded into the kernel as follows insmod pf_ring.ko transparent_mode=X where X can either …
nProbe

HTTP Traffic Analysis Using nProbe and Scrutinizer
Are you interested in getting URL information from NetFlow?  The nProbe NetFlow probe or the nBox can do it.  Paul at Plixer International recently wrote a blog on Recommended nProbe Templates.  For a foundation on this topic, check out his blog.  As an extension of his blog, I’ll explain how to get URLS from the nProbe. Scrutinizer from Plixer is the ideal tool for advanced IPFIX reporting and network traffic analysis. Below is a top domain report. For our company, the first page of this report is usually legitimate sites, …
ntop

ntop in 2011
Most of you know only small pieces of the ntop project. I have decided to prepare a few slides that you can use as tutorial for showing how the various project components can be used to efficiently monitor networks, and what you can expect in 2011 from this project (see for instance vPF_RING and n2disk). Happy new year. …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe