PF_RING

Announce

Released PF_RING 9.0.0: Fully Fledged Hardware Flow Tracking

This is to announce a new PF_RING release 9.0.0! This release brings significant improvements for a deeper flow tracking integrations, making PF_RING even more powerful for building high-performance flow processing networking applications able to leverage on state-of-the-art hardware offloads at high speed. In fact we’ve streamlined support for the latest Napatech SmartNIC’s Flow Manager FPGA, now including periodic flow updates to ensure real-time flow visibility and minimal latency for exporting flow stats. We also explored DOCA Flow support in NVIDIA  BlueField and ConnectX adapters, to provide flow tracking also on …
PF_RING

Released PF_RING 8.8.0: Flow Table Offload and nVidia BlueField Support

This is to announce a new PF_RING release 8.8.0! This release adds generic support for flow table offload, which is currently supported on Napatech adapters with Flow Manager enabled. This new technology has been successfully used to accelerate nProbe Cento when running with DPI enabled on multi 100 Gbit traffic (both passive and inline) and the work has been presented at IEEE HPSR (IEEE International Conference on High Performance Switching and Routing). This also adds support for zero-copy transmission on Napatech adapters, to reduce bandwidth utilisation and latency when forwarding …
ntop

Fixing Packet Deduplication: Introducing nDedup

When it comes to monitor a busy network, network monitoring tools can become bogged down, or even worse produce misleading information for your analysis, by a hidden culprit: duplicate packets. Imagine a firehose of data streaming across your network, much of this data can be redundant, with identical packets being sent multiple times due to retransmissions or mirroring configurations. As an example, when a SPAN (Switch Port Analyzers) port is used to mirror ingress and egress direction of switch ports, the resulting mirrored traffic might contain up to 50% of …
nProbe

Scaling Up ntopng Flow and Packet Processing

As traffic rate increases, it is important to tune packet processing in order to avoid drops and thus educe visibility. This post will show you a few tricks for improving the overall performance and better exploit modern multicore systems. The Problem ntopng packet processing performance depends on the number of ingress pps (packets per second) as well the number of flows/hosts being monitored and number of enabled behavioural checks. With ntopng you can expect to process (your mileage varies according to the CPU/system you are using) a few (< 5) …
cento

Enabling Zeek and Suricata On-Demand at 40/100 Gbit using PF_RING

Overview Those of you who have some experience with IDS or IPS systems, like Zeek and Suricata, are probably aware of how CPU intensive and memory consuming those applications are due to the nature of the activities they carry on (e.g. signatures matching). This leads to high system load and packet loss when the packet rate becomes high (10+ Gbi+) making these IDSs unlikely to be to deployed on high-speed networks. As nProbe Cento can analyse networks up to 100 Gbit while using nDPI for ETA (Encrypted Traffic Analysis), ntopng …
ntop

Introducing PF_RING 8.4: Zero-Copy Promisc Capture on Virtual Functions

This is to announce a new PF_RING release 8.4 ! This stable release adds zero-copy support for a new range of (virtual) adapters from Intel: the iavf-zc driver can be used to capture traffic from i40e (X710/XL710) and ice (E810) Virtual Functions. This new driver paves the way for new packet capture architectures as it enables high-speed promiscuous capture on Virtual Functions by leveraging on the SR-IOV trust mode available on Intel X710/XL710 adapters. It is now possible for instance to capture all traffic hitting the physical interface from multiple …
ntop

HowTo Select the Right Network Adapter for Traffic Monitoring and Cybersecurity

Since the introduction of PF_RING ZC drivers for Mellanox/NVIDIA, and the new family of Intel E810 adapters, the activity of selecting the best, cost-effective adapter, based on the use case and the performance we need to achieve, has become more complicated. Let’s try to shed some light. Intel Adapters Most commodity adapters, including Intel and Mellanox, are based on ASIC chipsets, which are cheap and provide simple RX/TX operations, with no (or limited) programmability. Those adapters have been designed for general purpose connectivity and are not really optimized for moving …
PF_RING

Introducing PF_RING 8.2: New Mellanox Support

This is to announce a new PF_RING release 8.2! This new stable version adds support for a new family of ASIC-based adapters from Mellanox/NVIDIA, including ConnectX-5 and ConnectX-6 (please check the User’s Guide for the exact list of supported firmwares). This new driver/adapter combination delivers high performance (in our tests nProbe Cento was able to scale up to 100 Gbps with worst case traffic using a few CPU cores) and provides high flexibility, with support for hardware packet filtering, traffic duplication, load-balancing and nanosecond hardware timestamping as described in a previous post. This …
PF_RING

How PF_RING is Used to Fight Internet Censorship: Refraction Networking

Internet censorship is a global phenomenon (see Figure 1) that aims to throttle or entirely block access to certain Internet resources. National or regional governments impose Internet censorship by using sophisticated networking appliances—strategically placed at the edge of their networks at various Internet inter-connection points—capable of inspecting and discarding network packets destined to sites with restricted content. Users that try to evade censorship have traditionally relied on techniques based on “domain fronting” and VPNs. However, these censorship circumvention tools are increasingly becoming harder to deploy and do not offer strong …
ntop

Introducing PF_RING ZC Support for Mellanox Adapters

PF_RING ZC is ntop’s high-speed zero-copy technology for high speed packet capture and processing. Until now ZC supported 10/40/100 Gbit adapters from Intel based on ASIC chips, in addition to the FPGA-based 100 Gbit adapters already supported by PF_RING including Accolade/Napatech/Silicom. This post is to announce a new ZC driver, known as mlx, supporting a new family of 100 Gbit ASIC-based adapters, this time from Mellanox/NVIDIA, including ConnectX-5 and ConnectX-6 adapters. The supported ConnectX adapters from Mellanox, in combination with the new mlx driver, demonstrated to be capable of high performance, by …
ntop

Introducing PF_RING 8.0: Batch Packet Processing and XDP Support

This is to announce a new PF_RING release 8.0. This new stable version includes enhancements for improving application performances, by adding support for batch processing also in the standard API (it was already available in the ZC API), and consolidates XDP support, which has been reworked to fully leverage on the latest Zero-Copy support and buffers management and take full advantage of the native batch capture. This release also adds support for the latest kernels to the ZC drivers for Intel adapters, including those shipped with CentOS (8.4) and Ubuntu LTS (20) …
nDPI

How to Dump, Index, and Layer-7 Filter Network Traffic at High Speed

n2disk is an application that many of the ntop community uses to dump traffic up to 100 Gbit. What few people know is that n2disk can index data not just using packet header information (i.e. IP, port. VLAN, MAC…) but also using nDPI to produce an index that contains application protocol information. This filtering can happen: During packet capture (i.e. instruct n2disk to avoid dumping specific protocols such as Netflix or YouTube that take up a lot of disk space and that are usually harmless). While extracting packets from stored …