All Blog Posts

PF_RING

10 Gbit PF_RING-based Hardware Packet Filtering and Balancing Previewed at the Intel Europe Conference

Intel Research Europe Conference, Bruxelles, May 4th 2010 Luca Deri and Joseph Gasparakis, senior Intel engineer, have previewed a new PF_RING-based technology they have co-developed that allows Linux users to fully exploit the hardware capabilities of the newest Intel X520 10 Gbit adapter (based on Intel 82599 controller). This technology that is close to public availability (at no cost), will enable PF_RING users to program the X520 card with (over 32’000) rules that allow to both balance and filter traffic in hardware with no CPU intervention. Linux users will be …
ntop

Meet ntop @ Bolzano (May 20th): Conference on Nagios, NTOP @ OSS Monitoring featuring Ethan Galstad an Luca Deri

Following the great interest in 2009, the successful series of an international Conferences on Nagios, NTOP and OSS Monitoring will continue also in 2010. Therefore the organization team of Würth Phoenix spared no efforts to top last year’s agenda and bring international Nagios and OSS Monitoring experts to Bolzano/Italy. This way, next to Nagios founder Ethan Galstad also Michael Medin, Cacti Europe leader Reinhard Scheck, ntop founder Luca Deri as well as the worldwide experienced Swedish Nagios service provider of op5 will be among the key speakers. The presented sessions …
nProbe

IANA Assigned a PEN to ntop

Internet Assigned Numbers Authority (IANA) has assigned to ntop the 35632 PEN (Private Enterprise Number) number. This means for instance that nProbe extensions (e.g. HTTP and VoIP traffic monitoring) will be exported using IPFIX using a valid template that will be recognized by all flow collectors available in the market. A side effect is that whoever will use ntop/nProbe to monitor its own network or code monitoring extensions will be able to export them using a uniform template that will be handled by all applications. This is a major step …
nProbe

Collection and Exploration of Large Data Monitoring Sets Using nProbe

Collecting and exploring monitoring data is becoming increasingly challenging as networks become larger and faster. Solutions based on both SQL-databases and specialized binary formats do not scale well as the amount of monitoring information increases. This paper presents a novel approach to the problem by using a bitmap database that allowed the authors to implement an efficient solution for both data collection and retrieval. The validation process on production networks has demonstrated the advantage of the proposed solution over traditional approaches. This makes it suitable for efficiently handling and interactively …
PF_RING

PF_RING and Transparent Mode

PF_RING has been designed for enhancing packet capture performance. This means that the RX path must be accelerated, and in particular a way to accelerate this is by reducing the journey of the packet from the adapter to userland. This is obtained by allowing the driver to push the packet from the NIC to PF_RING directly and not through the usual kernel path. For this reason PF_RING has introduced an option named “transparent mode” whose goal is to tune how packets are moved from the NIC to PF_RING. This option …
PF_RING

Introducing PF_RING DNA (Direct NIC Access)

This is to announce the availability of PF_RING DNA (Direct NIC Access) that significantly increments performance (up to 80%) when compared with Linux packet capture and PF_RING (non DNA). PF_RING is polling packets from NICs by means of Linux NAPI. This means that NAPI copies packets from the NIC to the PF_RING circular buffer, and then the userland application reads packets from ring. In this scenario, there are two pollers, both the application and NAPI and this results in CPU cycles used for this polling; the advantage is that PF_RING …
PF_RING

ntop.org Joins the Open Information Security Foundation

Suricata is the next generation open source IDS/IPS developed byt the Open Information Security Foundation. It is a pleasure to announce that ntop has joined the core development team as the Linux version of Suricata is based on acceleration provided by PF_RING. In the near future PF_RING will be extended so that it can also accelerate packet transmission in order to move the Suricata IPS performance to the next level. More information can be found here. …
ntop

ntop.org Accredited as Endace Technology Partner

We’re proud to announce that ntop.org has been accredited as Endace technology partner as recognition for ntop contribution in the open-source world and also as guarantee for Endace customers that products such as ntop and nProbe run smoothly (and faster) on Endace DAG cards. …
PF_RING

Exploiting Commodity Multi-core Systems for Network Traffic Analysis

This article Improvement of libpcap for lossless packet capturing in Linux using PF_RING kernel patch positions PF_RING (3.x, so some changes are needed when using version 4) against the Linux standard PF_PACKET packet capture facility. In PF_RING v4, due to popular demand, I have decided to move some of the PF_RING accelerations into the NIC driver with the advantage of being now able to compile PF_RING against an unpatched kernel. The PF_RING distribution has now a drivers/ directory that contains accelerated drivers for popular 1 and 10 Gbit adapter. This …
ntop

ntop ASA Support

ntop supports NetFlow since many years including the latest v9/IPFIX versions. In 2005 Cisco ha releases a new line of  x86 based security devices named ASA that unfortunately have not been supported by ntop/nProbe for a long time. As of today (June 15th 2010, SVN revision 4299) ntop/nProbe finally supports ASA. Please note that as ASA units do not export templates too often, ntop might need some time to start decoding flows (this until the template is received). Furthermore as the nature of ASA flows (e.g. notify when a new …
nProbe

Port Mirror vs Network Tap

In order to analyze network traffic, it’s necessary to feed ntop/nProbe with network packets. There are two solutions to the problem: port mirror (also called SPAN in Cisco parlance) network tap Prior to explain the differences between these two solutions, it’s important to understand how ethernet works. In 100 Mbit and above, hosts usually speak in full duplex meaning that a hosts can both send and receive simultaneously. This means that on a 100 Mbit cable connected to a host, the total amount of traffic that a host can send/receive is …