This is to announce the new 1.4 stable release of nProbe cento. The most important feature that comes with this new version is definitely the support for hardware flow offloading as well as various bug fixing and improved netflow template definition.
We recently discussed the benefits of hardware flow offloading in another blog post. Hardware flow offloading alleviates, to a great extent, the pressure put on the CPU by intensive tasks such as classification (associating single packets to flows for accounting and deep packet inspection). Basically, hardware flow offloading means that the network adapter keeps a stateful flows table constantly kept updated to account for any single packet. Periodically, flow updates with aggregated information (e.g., total bytes and packets) are reported to nProbe cento that will have to just annotate such information for downstream export. In practical terms, this translates into a less-loaded CPU that can thus be used for other activities such as raw traffic recording as well as for Intrusion Detection and Intrusion Prevention Systems (IDS/IPS).
Currently hardware flow offload supported by 10/40G Accolade Technology adapters of the ANIC-Ku Series (tested on ANIC-20/40Ku, ANIC-80Ku).
The full list of changes shipped with 1.4 stable are:
Main New Features
- Full support for the new systemd service manager
- Support for Accolade adapters with hardware flow offloading capabilities
- Support for multiple aggregated egress queues and devices
- Egress policies can be applied on a per-egress queue/device basis and can be configured with HTTP REST API calls
- Handles HUP signals to reload configuration files and policy rules
flowStartMilliseconds
andflowEndMilliseconds
for precise flow timestamping- Support for AWS virtual interfaces
- Added support for RFC 5103 to export reverse counters in IPFIX
- Support for IPFIX 64-bit counters
- Added BPF support in ZC
- Added DNS query type in nDPI
- Implements VLAN to interface index mapping
New Options
--bpf-filter
to filter monitored traffic using BPF syntax--flow-offload
to enable hardware flow offload on Accolade adapters- Implemented IPFIX unidirectional flow support with
--uniflow
- Added
--max-socket-tx-buffer
to specify the TX buffer size and to slow down export when the TX buffer is > 50% full - Non-blocking UDP export is now disabled and it can be enabled with
--send-dont-wait
- Added
--flow-delay
and--count-delay
to throttle the flow export rate --template-send-pkts
to control the export frequence of flow templates--vlan-iface-map
to map VLAN IDs to INPUT/OUTPUT interface ids- Implemented
--human-readable-tcpflags
to dump TCP flags to text files in a human readable format - Implemented
--sample-rate
to perform packet sampling - Added the ability to specify the binding between id interfaces and networks with
--if-networks
- Added
--iface-id
to control INPUT/OUTPUT interface ids in exported flows --csv-separator
to control the character that separates columns in generated text files- Export flows in JSON format to syslog with
--json-to-syslog
- Added
--trace-log
to dump traces on a log file