[140032] in North American Network Operators' Group
RE: Wire-rate Packet Capture on 10gbE
daemon@ATHENA.MIT.EDU (Joe Happe)
Fri Apr 29 11:31:50 2011
From: Joe Happe <Joe.Happe@archlearning.com>
To: Michael Holstein <michael.holstein@csuohio.edu>, Kyle Creyts
<kyle.creyts@gmail.com>
Date: Fri, 29 Apr 2011 10:31:43 -0500
In-Reply-To: <4DBACE9B.6080204@csuohio.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Might also take a look at Gigamon, Anue Systems, and similar vendors. It's=
possible to use these switches to "slice and dice" traffic from a 10g inpu=
t to a farm of 1g tools for packet capture, ids, waf, content filtering etc=
. Although there is a cost, it's usually cheaper than having to upgrade mu=
ltiple existing tools to 10g speeds. It also solves the issues with the nu=
mber of source span's allowed on many Cisco switches, and avoids the bus/di=
sk issues tools run into when dealing with 10g linerates. (For now at leas=
t) =20
~jdh
-----Original Message-----
From: Michael Holstein [mailto:michael.holstein@csuohio.edu]=20
Sent: Friday, April 29, 2011 9:44 AM
To: Kyle Creyts
Cc: nanog@nanog.org
Subject: Re: Wire-rate Packet Capture on 10gbE
> How is this being done? I've looked at looked at PF_RING and TNAPI...=20
> is there anything better out there?
> =20
Those two (thanks to Luca) can get you most of the way there, but to really=
hit the target you need dedicated kit like Endace (and a few
others) make. They basically do what was represented in the CCC slides some=
body else posted (FPGA with own logic), but on a PCIe card.
Once you've got the ethernet -> interface problem addressed, you need to ex=
amine bottlenecks in interface->bus and particularly bus->disk.
Regards,
Michael Holstein
Cleveland State Unversity
> --Kyle
>
> =20
_________________________________________________________________________=
_____________________________
The information contained in this electronic message and any attachments =
is confidential, =
is for the sole use of the intended recipient(s) and may contain privileg=
ed information. =
Any unauthorized review, use, disclosure or distribution is prohibited. I=
f you are not the =
intended recipient, you must not read, use or disseminate the information=
, and should immediately =
contact the sender by reply email and destroy all copies of the original =
message.
=0D
