Introducing nBPF: line-rate hardware packet filtering (yes Wireshark at 100G is possible)

Posted · Add Comment

Modern network adapters such as Exablaze, Napatech and Silicom’s Intel FM10K, support hardware filters. Unfortunately every company has its own way to set filters, no unified API, and no support of any BPF-like filters. Most of the network monitoring community instead is used to set filters using BPF and thus powerful hardware filtering is present but unused.

This has been the driving force for developing nBPF (ntop BPF). We have realized that most of the times filters include IP, port and protocol, that are exactly the features that hardware-based filters support. Thus we have written from scratch a BPF interpreter able to convert a subset (that should satisfy most of the user needs) of BPF. Filtering happens in hardware if possible, leaving to software-based filtering (as with the classic BPF) the final cleanup, only if necessary.

Libpcap-based application such as Wireshark or tcpdump, can immediately take advantage of nBPF by simply using the lib cap-over-PF_RING library. Example suppose that you want to use Wireshark with nBPF on interface nt:0. All you have to do is:

  1. Install the prerequisite libraries/drivers for your NIC.
  2. git clone https://github.com/ntop/PF_RING.git
  3. Compile PF_RING including the libpcap library under PF_RING/userland/libpcap
  4. Install PF_RING. We assume that the libcap-over-PF_RING library in installed under /usr/local/lib
  5. git clone https://github.com/ntop/n2disk.git
  6. cd PF_RING/tools
  7. sudo su
  8. ./n2if up -i nt:0 -d napatech0
  9. LD_LIBRARY_PATH=/usr/local/lib/ wireshark

In this case in the wireshark capture window you will see a new adapter named napatech0, on which you can capture traffic. Supposing you want to capture tcp packets sent by host 1.2.3.4 you just have to set your filter in Wireshark as usual

nBPF

and voila. Instead of overflooding wireshark with packets, your favourite packet analyser will receive only the packets your are interested in, as all filtering happens in hardware. People who have used wireshark at 10 Gbit or more, know that with this technology you can finally analyse live traffic, thing that was not possible until today.

If you want to see a demo of nBPF you can watch the video below.

nBPF is released in source code as part of PF_RING. You can find the code on github where you can also find implementation notes and README for the various supported NICs.

This is just a preview of nBPF. We will present it extensively at the upcoming conference Sharkfest Europe later this month, where ntop organises a free half-day workshop (you do not have to be registered for the sharkfest to attend it). See you soon mates!