Exploiting Arista MetaWatch with n2disk and ntopng: HighRes Timestamping and Analytics

Posted · Add Comment

Precise packet timestamping is a key feature for network traffic analysis and troubleshooting. Traditionally many people use FPGA-based NICs with precise timestamping (e.g. Napatech, Silicom) even though a good precision can be obtained with PTP-based NICs such as many Intel network adapters. A better alternative to this practice is to avoid ad all using specialised adapters and rely on existing network devices to timestamp packets.

Arista packet brokers with MetaWatch  can be configured to add an extra trailer (Metamako) with metadata to every captured packet. In fact Arista 7150 Series devices are able to add packet trailers and generate keyframes to provide high-resolution timestamping, allowing for advanced network analysis and precise latency measurements. Arista MetaWatch devices are also able to include device information such as the Device ID and the incoming Port ID for captured packets and thus identify packet source that is then propagated to packet consumers. Below you can see an example of the packet trailer containing this information.

 

n2disk, ntop’s software tool for packet recording, is able to dump traffic and build an index on the fly, for enabling quick traffic retrieval by specifying the time interval and a BPF-like criteria. In addition to the 5-tuple, n2disk is able to index extended metadata, including those provided by MetaWatch devices and use the timestamp reported in the packet trailer. n2disk stores the device <ID> and interface <ID> in the packet index and it allows to use then when running traffic extractions.  A typical use case is the ability to retrieve traffic that went through a specific port and at a specific time in our network, this in addition to traditional IP address, port and layer-7 based filters.

This can be enabled in n2disk by adding –extended-index 4 and –hw-timestamp metawatch to the configuration (for further information please read the documentation). Example:

--interface=eth1
--dump-directory=/storage
--timeline-dir=/storage
--disk-limit=90%
--index
--extended-index=4
--hw-timestamp=metawatch
--index-on-compressor-threads
--reader-cpu-affinity=0
--compressor-cpu-affinity=1
--writer-cpu-affinity=2

n2disk is also able to export flow metadata to ntopng, acting as a flow probe, similar to what nProbe or nProbe Cento do. In this configuration, when support for MetaWatch devices is enabled with –hw-timestamp metawatch, n2disk also exports device and port information by populating %INPUT_SNMP %OUTPUT_SNMP %OBSERVATION_POINT_ID Information Elements. Example n2disk configuration file:

--interface=eth1
--dump-directory=/storage
--timeline-dir=/storage
--disk-limit=90%
--index
--extended-index=4
--hw-timestamp=metawatch
--index-on-compressor-threads
--reader-cpu-affinity=0
--compressor-cpu-affinity=1
--writer-cpu-affinity=2
--zmq=tcp://127.0.0.1:5556
--zmq-export-flows

ntopng configuration file example:

-i=tcp://*:5556c

In this configuration, device and ingress/egress port information are collected by ntopng and displayer in the flow details page as depicted below as well hardware timestamps are used in dumped pcaps.

In summary, thanks to Metamako support in ntop tools it is possible to combine precise timestamping as well packet-to-disk with real-time monitoring capabilities. This is an improvement with respect to hardware-based timestamping NICs that provide just timestamping and offer no device visibility and match on the actual network topology, very useful feature to locate and troubleshoot network issues.

Enjoy!