ZC

PF_RING

Introducing PF_RING ZC support for Intel E810-based 100G adapters

Last year Intel announced a new family of 100 Gigabit network adapters, code-name Columbiaville. These new adapters, based on the new Intel Ethernet Controller E810, support 10/25/50/100 Gbps link speeds and provide programmable offload capabilities. Programmability 800 Series adapters implement new features to improve connectivity, storage protocols, and programmability, also thanks to the Dynamic Device Personalization (DDP) technology which adds support for a programmable pipeline. In fact, with DDP, a parser embedded in the controller can support the software parsing custom protocols and manipulating outgoing packets, paving the way to …
PF_RING

Commoditizing 10/25/40/100 Gbit with PF_RING ZC on Intel FM10K

As you know we’re working at 100 Gbit for a while, not just in terms of network speed, but also in terms of redesigning existing applications for being more efficient and powerful (BTW stay tuned as very soon we will introduce nProbe Cento). With the introduction of the new Intel FM10K ethernet controller family, it is now possible to support 10/25/40/100 Gbit using one single NIC (just replace QSFP+ to change network speed) on a product that is in the 1k USD range for dual port. Another major feature of this product is the embedded programmable …
PF_RING

Best practices for using Bro IDS with PF_RING ZC. Reliably.

Zero copy technologies such as PF_RING ZC allow applications to read packets in memory without any actor involved, being it the kernel or a memory copy. This is the reason why using ZC you can easily fill up a 10 Gbit line using a single thread and a single network card queue. The drawback of zero copy is that applications must be well behaved as the same packet is shared across multiple applications and thus if one application pollutes the packet memory, this problem affects all the consumers. The same …
PF_RING

Not All Servers Are Alike (With PF_RING ZC/DNA) – Part 3

We have already discussed on the first and second part of this post some common issues that might be encountered while doing high-performance packet processing. Most of the problems are related to multi-CPU servers (NUMA) and memory configuration. We have spent a lot of time creating the nBox web-GUI that is not just a graphical interface, but it is a way to automatically configure ntop applications as well report common configuration issues. For those who want to live without it, we have some additional lessons learnt to share. Lesson 1: Make sure all …
PF_RING

Migrating from DNA/Libzero to PF_RING ZC

Since the introduction of PF_RING ZC (Zero Copy), we have received many inquiries about migrating from DNA/LibZero to ZC. Said that at the moment we do not plan to discontinue DNA/LibZero, we would like to summarise the differences and ease you the migration: In PF_RING 5.x (pre-ZC) there were two driver families: DNA-drivers and PF_RING-aware drivers. With the former you could operate at line-rate with DNA/LibZero, with the latter the speed was limited and you were not able to use the packets from LibZero. In ZC, there is one driver family …
PF_RING

Introducing PF_RING ZC (Zero Copy)

NOTE: The new PF_RING home is hereAfter almost 18 months of development, we are pleased to announce the release of PF_RING ZC (Zero Copy). Based on the lessons learnt with DNA and libzero, we have decided to redesign from scratch a new consistent zero-copy API that implements popular network patterns. The goal is to offer you a simple API, able to deliver line-rate performance (from 1 to multi-10 Gbit) to network application developers. We have hidden you all the internals and low-level details, in order to create a developer-centric API …
nProbe

How to Balance (Mobile) Traffic Across Applications Using PF_RING

Traffic monitoring requires packets to be received and processed in a coherent matter. Some people are lucky enough to get all interesting packet on a single interface, but this is unfortunately not a common scenario anymore: The use of network taps split one full-duplex interface into two half-duplex interfaces each receiving a direction of the traffic. Standby interfaces, require traffic monitoring apps to surveil two interfaces, where traffic flows only on one interface at time. Asymmetric traffic (i.e. all protocols similar to HTTP where the traffic in one direction is …
PF_RING

Accelerating Suricata with PF_RING DNA

Below you can find an excerpt of the “Suricata (and the grand slam of) Open Source IDPS” article written by our friend Peter Manev (Suricata core team) describing how to install and configure PF_RING, DNA and Suricata. The original blog entries can be found at Part One – PF_RING and Part Two – DNA. ————- Part One – PF_RING If you have pf_ring already installed, you might want to do: sudo rmmod pf_ring If you are not sure if you have pf_ring installed , you can do: sudo modinfo pf_ring …
PF_RING

Who (Really) Needs Sub-microsecond Packet Timestamps?

Introduction For years network adapter manufacturer companies have educated their customers that network monitoring applications can’t live without hardware packet timestamps (i.e. the ability for the network adapter to report to the driver the time a given packet was sent or received). State of the art FPGA-based network adapters [1, 2, 3] have hardware timestamps with a resolution of +/- ~10 nsec and accuracy of +/- ~50 nsec so that monitoring applications can safely assume an accuracy of  100 nsec in measurements, for sub-usec measurements. Commodity adapters such as Intel 1 …
PF_RING

Not All Servers Are Alike (With DNA) – Part 2

Some time ago, we discussed on the first part of this post, why not all servers spot the same performance with DNA. The conclusion was that beside the CPU, you need a great memory bandwidth in order to move packets from/to the NIC. So in essence CPU+memory bandwidth are necessary for granting line-rate performance. In this post we want to add some lessons learnt while playing with DNA on modern servers. Lesson 1: Not all PCIe slots are alike With the advent of PCIe gen3, computer manufacturers started to mix …
nbox

BYO10GPR: Build Your Own 10 Gbit Packet Recorder

Packet recorder appliances are one of the last network components that have insane prices. Years ago this was justified by the fact that in order to capture traffic at high speed it was mandatory to use costly custom packet capture cards and often custom-designed hardware. With the advent of multi-10 Gbit packet capture technologies on commodity hardware such as PF_RING DNA, and the availability of high-performance computers such as those based on the Intel Sandy Bridge chipset the game has changed. Modern 10K RPM 6Gb/s SATA disks enable with 8 …
PF_RING

Accelerating Snort with PF_RING DNA

Since some time, PF_RING includes a DAQ (Data AcQuisition library) module for the popular Snort IDS/IPS. With respect to Linux AF_PACKET, the use of PF_RING significantly accelerates all snort operations. We have recently created a new DAQ module that adds native PF_RING DNA support, further accelerating the vanilla PF_RING DAQ module from 20 to 50%. The support of DNA in addition to greater speed, also has the advantage of exploiting symmetric RSS, so that you can run one snort instance per RX queue and be sure that such instance will …