now and then, how and when? june 16 th , 2009 stephen donnelly technologist | endace technology
DESCRIPTION
Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology SHARK FEST '09 Stanford University June 15-18, 2009. Endace. Potted history 1996 The University of Waikato 2001 Endace created 2005 Publically Listed Specialists in packet capture - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/1.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Now and Then, How and When?June 16th, 2009
Stephen DonnellyTechnologist | Endace Technology
SHARKFEST '09Stanford UniversityJune 15-18, 2009
![Page 2: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/2.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Endace
• Potted history– 1996 The University of Waikato– 2001 Endace created– 2005 Publically Listed
• Specialists in packet capture– High data/packet rates– Accurate time stamping– Wide variety of network interfaces
![Page 3: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/3.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Network Monitoring Interfaces
• DAG cards cover many network technologies
• 8000 bps to 39813120000 bps
• TDM - T1/E1/J1• PDH - T3/E3• SONET/SDH - OC-3, 12,
48, 192, 768• InfiniBand – SDR, DDR
![Page 4: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/4.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Platforms and Appliances
• Open Platforms– Full access
• Managed Appliances– Packet Capture– Trace Replay– Applied Watch IDS– Flow Export– Lawful Intercept– CACE Pilot
![Page 5: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/5.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Lossless Packet Capture
• Capture all packets on link– Categorize– Filter– Present to user
• Debugging• Security• Forensics• Lawful Intercept
![Page 6: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/6.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Network Interface Cards
• Designed to provide inexpensive network connectivity for diverse applications– Web, Email, File transfer
• Generally applications are the bottleneck– E.g. a web server generating content
• Protocols are fault tolerant so NIC need not be• LAN traffic is bursty
![Page 7: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/7.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
NIC Device Model
NIC
Tx DescriptorRing
Rx DescriptorRing
Packet Buffers
Driver
NetworkStack
PacketFilter
Libpcap
Application
![Page 8: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/8.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Performance Testing
• Simple Libpcap app counting packets– Packets Captured vs. Applied– CPU Load
• Single processor core• AMD Opteron 248 (2.2GHz)• 2GB DDR 400 DRAM• Linux 2.6.12
![Page 9: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/9.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
![Page 10: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/10.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
![Page 11: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/11.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
![Page 12: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/12.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
DAG cards
• Optimized for packet capture and replay– Efficient transfer to and from user applications
• Capture 100% of received packets– Full or partial packet capture– Account for any packet loss that does occur
• Record accurate timestamps– Synchronized clocks for timestamp comparisons
• ERF Format with rich per-packet metadata
![Page 13: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/13.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
DAG 8.1SX
![Page 14: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/14.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Features only on subset of cards
DAG Internals
FPGA
1 to n Network Physical Layer
Interface/s
LEDs
Sync Connector
Clock Oscillator
Network Interface /
Framer
Power Supply Circuits
CPLD
ROM
JTAG / Test Connector/s
Processor RAM
Coprocessor
Bus Connector
FIFO
![Page 15: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/15.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
DAG Stream Buffer
• Large Static Ring Buffers– 4MB to 2GB each
• Window-based Handshaking– Minimize per-packet
overhead
• Memory-mapped to User space– Zero copy
ReadingFilled
Empty
Writing
![Page 16: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/16.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
DAG Device Model
DAG
Tx Stream Rx Stream
Driver
NetworkStack
PacketFilter
Libpcap
Application
Rx Stream
Libdag
![Page 17: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/17.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Extensible Record Format
![Page 18: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/18.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
![Page 19: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/19.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
![Page 20: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/20.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
![Page 21: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/21.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
![Page 22: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/22.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Accurate time stamps
• Debugging/Benchmarking/Optimization– QoS/SLA– Service response time– Storage networks– Network equipment– HPC
• Financial services– Time=Money, Latency=Risk
![Page 23: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/23.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Resolution
Network Packet Rate (64 Byte)
Packet Time (64 Byte)
Byte Time
10BASE-T 14,880 67,200ns 800ns
100BASE-TX 148,809 6,720ns 80ns
1000BASE-SX 1,488,095 672ns 8ns
10GBASE-SR 14,880,952 67.2ns 0.8ns
OC-768c (POS) 69,721,043 14.3ns 0.2ns
100GBASE-SR10 148,809,520 6.7ns 0.08ns
![Page 24: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/24.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Reference Clocks
• GPS– Worldwide– Clear view of sky
• CDMA– Works indoors– Limited coverage– Unknown distance to tower
• Radio (Shortwave)– Limited by RF Propagation
![Page 25: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/25.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Reference Clock Sources
Reference Accuracy (Est.)
GPS 100nsCDMA 10,000nsRadio 1,000,000ns
![Page 26: Now and Then, How and When? June 16 th , 2009 Stephen Donnelly Technologist | Endace Technology](https://reader035.vdocuments.mx/reader035/viewer/2022070403/568139c5550346895da17055/html5/thumbnails/26.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Clock Transports
Transport Accuracy (Est.)
Hardware 100ns
IEEE 1588 (LAN) 1,000nsNTP (LAN) 1,000,000nsNTP (WAN) 10,000,000ns