SlideShare a Scribd company logo
Kernel packet capture technologies
Éric Leblond
Stamus Networks
October 1, 2015
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 1 / 54
1 Introduction
2 Why capture
3 Libcap and raw socket
4 AF_PACKET
5 PF_RING
6 AF_PACKET goes multi*
7 Netmap
8 Latest AF_PACKET evolution
9 ++zero copy
10 Conclusion
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 2 / 54
Éric Leblond
Co-founder of Stamus Networks
Company providing network probe based on Suricata
Focusing on bringing you the best of Suricata IDS technology
Open source hacker
Suricata core developer
Netfilter core team member
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 4 / 54
Raw socket: definition
A raw socket is an internet socket that allows direct sending and receiving of Internet
Protocol packets without any protocol-specific transport layer formatting.
Wikipedia
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 6 / 54
"The End of the Internet"
[raw socket ...] spells catastrophe for the integrity of the Internet.
Steve Gibson in 2001
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 7 / 54
"The End of the Internet"
Talking about introduction of raw socket in MS Windows
Allow users to write any packets
Could be used to abuse protocol and [poorly implemented] OS
More info at http://www.informit.com/articles/article.aspx?p=27289
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 8 / 54
Raw socket: usage
Send and receive
Send low level message: icmp, igmp
Implement new protocol in userspace
Sniffing
Capture traffic
Promiscuous mode
Use by network monitoring tools
Debugging tools: tcpdump, wireshark
Monitoring tools: iptraf, ntop, NSA
Intrusion detection systems: snort, bro, suricata
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 9 / 54
Network Intrusion Detection System: definition
An intrusion detection system (IDS) is a device or software application that monitors
network or system activities for malicious activities or policy violations and produces
reports to a management station.
Wikipedia
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 10 / 54
Network Intrusion Detection System: challenge
IDS detection rule
Some data
Complexity of rule
Work on recontructed stream
Protocol field analysis
Pattern recognition on ungzipped content (http_server_body)
Got around 15000 rules in standard ruleset
Need to inspect 10Gbps of trafic or more
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 11 / 54
Suricata: Open source & multi threaded IDS
IDS and IPS engine
Get it here: http://www.suricata-ids.org
Project started in 2008
Open Source (GPLv2)
Funded by consortium members (and originaly US
government)
Run by Open Information Security Foundation (OISF)
More information about OISF at
http://www.oisf.net/
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 12 / 54
Suricata Features
High performance, scalable through multi threading
Protocol identification
File identification, extraction, on the fly MD5 calculation
TLS handshake analysis, detect/prevent things like Diginotar
Hardware acceleration support:
Useful logging like HTTP request log, TLS certificate log, DNS logging
Lua scripting for detection
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 13 / 54
libpcap
Multi OS abstraction for packet capture
All *nix, Windows
Multi layer: Network, USB, . . .
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 15 / 54
Raw socket: the initial implementation
A dedicated socket type
#include <sys / socket . h>
#include < netinet / in . h>
raw_socket = socket (AF_INET , SOCK_RAW, int protocol ) ;
Straight socket mode
Get packet per packet via recvmsg
Optional ioctl
Get timestamp
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 16 / 54
Memories of another time
"640 K ought to be enough for anybody." Memory contraint design
No preallocation
On demand only
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 17 / 54
Disclaimer
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 18 / 54
IDS design
Monoprocess
No Performance for you, go home now.
Marty Roesch about multithread and network data processing, 2010
Suricata architecture
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 19 / 54
NAPI (2001-200?)
Reducing interrupts usage
Interrupts tempest at high packet rate
All CPU time is sued to handle the interrupts
NIC driver needs to be updated
No direct change for packet capture
Change internal to device driver
Direct performance impact on packet capture
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 21 / 54
NAPI performance
Table extracted from luca.ntop.org/Ring.pdf
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 22 / 54
Problem of the socket mode
Internal path
Data in card buffer
Data copied to skb
Data copied to socket
Data read and copied by userspace
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 23 / 54
Memory map approach
Sharing is the solution
Kernel expose some memory
Userspace access memory directly
Spare a message sending for every packets
mmap internal path
Data in card buffer
Data copied to skb
Data copied to ring buffer
Userspace access data via pointer in ring buffer
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 24 / 54
TPACKET_V2
setup
socket(): creation of the capture socket
setsockopt(): allocation of the circular buffer (ring) via PACKET_RX_RING option
mmap(): mapping of the allocated buffer to the user process
capture
poll(): to wait for incoming packets
shutdown
close(): destruction of the capture socket and deallocation of all associated resources.
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 25 / 54
Memory organization
Ascii art
block #1 block #2
+---------+---------+ +---------+---------+
| frame 1 | frame 2 | | frame 3 | frame 4 |
+---------+---------+ +---------+---------+
block #3 block #4
+---------+---------+ +---------+---------+
| frame 5 | frame 6 | | frame 7 | frame 8 |
+---------+---------+ +---------+---------+
Components
Frame contains a datagram data
Blocks are physically contiguous region of memory
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 26 / 54
Performance
Graph extracted from luca.ntop.org/Ring.pdf
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 27 / 54
Suricata architecture
MMAP option
Support of TPACKET_V2
Zero copy mode
Implied changes
Access data via pointer to ring buffer cell
Release data callback
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 28 / 54
PF_RING original design (2004)
Architecture
ring design
mmap
capture only interface
skip kernel path
put in ring buffer and discard
user access the ring buffer
Project
Project started by Luca Deri
Available as separate sources
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 30 / 54
PF_RING performance
Show real improvement on small size packets
Pre optimisation result
Better result in following version due to a better poll handling
Table extracted from luca.ntop.org/Ring.pdf
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 31 / 54
PF_RING going multicore (around 2008?)
Sharing the load
Each core has a finite bandwidth capability
Multicore CPU were introduced in 2006
Sharing load become common
Previously separate hardware was used to split the network load
Straight forward solution
Allow multiple sockets to be attached to one interface
Load balance over the attached sockets
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 32 / 54
Suricata autofp multi reader
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 33 / 54
PF_RING code
Build system and sources
Custom build system
No autotools or cmake
Include patched drivers
SVN stats
g i t log −−format=format : "%s " | sort | uniq −c | sort −n | t a i l −n10
15 Minor change
20 f i x
20 minor changes
22 l i b refresh
30 Library refresh
43 minor change
67 minor f i x
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 34 / 54
David Miller in da place
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 36 / 54
AF_PACKET load balancing (2011)
Multiple sockets on same interface
Kernel does load balancing
Multiple algorithms
LB algorithm
Round-robin
Flow: all packets of a given flow are send to the same socket
CPU: all packets treated in kernel by a CPU are send to the same socket
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 37 / 54
AF_PACKET CPU Load balancing
RSS queues
Multiqueue NIC have multiple TX RX
Data can be split in multiple queues
Programmed by user
Flow load balanced
RSS queues load balancing
NIC does load balancing using hash function
CPU affinity is set to ensure we keep the cache line
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 38 / 54
Suricata workers mode
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 39 / 54
tpacket_v3 (2011)
The problem
Cell are fixed size
Size is the one of biggest packet (MTU)
Small packets use same memory as big one
Variable size cells
Ring buffer
Update memory mapping to enable variable sizes
Use a get pointer to next cell approach
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 40 / 54
Netmap (2012)
Similar approach than PF_RING
skip kernel path
put in ring buffer and discard
User access the ring buffer
Paired with network card ring
More info http://queue.acm.org/detail.cfm?id=2103536
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 42 / 54
Performances
Table by Luigi Rizzo
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 43 / 54
AF_PACKET rollover option (2013)
Single intensive flow
Load balancing is flow based
One intensive flow saturate core capacity
Load needs to be shared
Principle
Move to next ring when ring is full
As a load balancing mode
As a fallback method
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 45 / 54
Rollover and suricata (1/2)
Graph by Victor Julien
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 46 / 54
Rollover and suricata (2/2)
A TCP streaming issue
Rollover activation lead to out of order packets
Fool TCP stream reconstruction by suricata
Result in invalid streams
Possible solution
Evolve autofop multicapture
Decode and dispatch packets
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 47 / 54
DPDK (2012-)
Data Plane Development Kit
set of libraries and driver
design for fast packet processing
impact on software architecture
Architecture
multicore framework
huge page memory
ring buffers
poll-mode drivers
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 48 / 54
Suricata workers mode limit
Packet treatment can be really long
Involve I/O on disk or network
Huge computation like regular expression
Ring buffers are limited in size
A slow packet can block a whole buffer
Suricata need to dequeue faster
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 50 / 54
Need to evolve Suricata architecture
Switch to asynchronous
Release ring buffer elements as fast as possible
Buffer in userspace
An enhanced autofp approach?
Fast decode
Copy data to packet pool of detect thread
With a fast decision
Release data
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 51 / 54
Conclusion (1/2)
A small subject and a huge evolution
Has follow evolution of hardware architecture
Always need to deal with more speed
10Gbps is common
100Gbps is in sight
Multiple technologies
Vanilla kernel propose some solutions
Patching may be required to do more
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 53 / 54
Conclusion (2/2)
Do you have questions ?
Contact me
Mail: eleblond@stamus-networks.com
Twitter: @Regiteric
More information
Suricata: http://www.suricata-ids.org
PF_RING: http://www.ntop.org/products/packet-capture/pf_ring/
netmap: http://info.iet.unipi.it/~luigi/netmap/
dpdk: http://dpdk.org/
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 54 / 54

More Related Content

What's hot

Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
Nikita Popov
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals
哲豪 康哲豪
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Intel dpdk Tutorial
Intel dpdk TutorialIntel dpdk Tutorial
Intel dpdk Tutorial
Saifuddin Kaijar
 
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea ArcangeliKernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
Anne Nicolas
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Brendan Gregg
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
SeongJae Park
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack
monad bobo
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)
Adrian Huang
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
Adrian Huang
 
The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421
Linaro
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
Brendan Gregg
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Anne Nicolas
 

What's hot (20)

Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Intel dpdk Tutorial
Intel dpdk TutorialIntel dpdk Tutorial
Intel dpdk Tutorial
 
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea ArcangeliKernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
Kernel Recipes 2017 - 20 years of Linux Virtual Memory - Andrea Arcangeli
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)Linux Synchronization Mechanism: RCU (Read Copy Update)
Linux Synchronization Mechanism: RCU (Read Copy Update)
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
 
The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421The Linux Kernel Scheduler (For Beginners) - SFO17-421
The Linux Kernel Scheduler (For Beginners) - SFO17-421
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
 

Viewers also liked

Libpcap
LibpcapLibpcap
Libpcap
liu qiang
 
Systemtap
SystemtapSystemtap
Systemtap
Feng Yu
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
Abhishek Khune
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programming
Kristian Arjianto
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and  techniquesDebugging linux kernel tools and  techniques
Debugging linux kernel tools and techniques
Satpal Parmar
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control
anuragjagetiya
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
Anne Nicolas
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
Viller Hsiao
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
Brendan Gregg
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
Xiaozhe Wang
 
Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013
Hajime Tazaki
 
Linux Kernel Library - Reusing Monolithic Kernel
Linux Kernel Library - Reusing Monolithic KernelLinux Kernel Library - Reusing Monolithic Kernel
Linux Kernel Library - Reusing Monolithic Kernel
Hajime Tazaki
 
Brocade Software Networking (SDN NFV Day ITB 2016)
Brocade Software Networking (SDN NFV Day ITB 2016)Brocade Software Networking (SDN NFV Day ITB 2016)
Brocade Software Networking (SDN NFV Day ITB 2016)
SDNRG ITB
 

Viewers also liked (14)

Libpcap
LibpcapLibpcap
Libpcap
 
Systemtap
SystemtapSystemtap
Systemtap
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programming
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and  techniquesDebugging linux kernel tools and  techniques
Debugging linux kernel tools and techniques
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
 
Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013
 
Linux Kernel Library - Reusing Monolithic Kernel
Linux Kernel Library - Reusing Monolithic KernelLinux Kernel Library - Reusing Monolithic Kernel
Linux Kernel Library - Reusing Monolithic Kernel
 
Brocade Software Networking (SDN NFV Day ITB 2016)
Brocade Software Networking (SDN NFV Day ITB 2016)Brocade Software Networking (SDN NFV Day ITB 2016)
Brocade Software Networking (SDN NFV Day ITB 2016)
 

Similar to Kernel Recipes 2015: Kernel packet capture technologies

[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
hackersuli
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
PROIDEA
 
uCluster
uClusteruCluster
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
Bridging the gap between hardware and software tracing
Bridging the gap between hardware and software tracingBridging the gap between hardware and software tracing
Bridging the gap between hardware and software tracing
Christian Babeux
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
Joel W. King
 
Python on Rails - Victory Levy
Python on Rails - Victory LevyPython on Rails - Victory Levy
Python on Rails - Victory Levy
Hakka Labs
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
Stefano Salsano
 
Chapter 7 security tools i
Chapter 7   security tools iChapter 7   security tools i
Chapter 7 security tools i
Syaiful Ahdan
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and Containers
Kernel TLV
 
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PROIDEA
 
Microprocessor.ppt
Microprocessor.pptMicroprocessor.ppt
Microprocessor.ppt
safia kalwar
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
aaajjj4
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Michelle Holley
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Puppet
 
No[1][1]
No[1][1]No[1][1]
No[1][1]
51 lecture
 
G rpc talk with intel (3)
G rpc talk with intel (3)G rpc talk with intel (3)
G rpc talk with intel (3)
Intel
 
Again music
Again musicAgain music
Again music
variable_orr
 
Introduce: IBM Power Linux with PowerKVM
Introduce: IBM Power Linux with PowerKVMIntroduce: IBM Power Linux with PowerKVM
Introduce: IBM Power Linux with PowerKVM
Zainal Abidin
 
Full PPT Stack
Full PPT StackFull PPT Stack
Full PPT Stack
Wendi Sapp
 

Similar to Kernel Recipes 2015: Kernel packet capture technologies (20)

[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
uCluster
uClusteruCluster
uCluster
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Bridging the gap between hardware and software tracing
Bridging the gap between hardware and software tracingBridging the gap between hardware and software tracing
Bridging the gap between hardware and software tracing
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
 
Python on Rails - Victory Levy
Python on Rails - Victory LevyPython on Rails - Victory Levy
Python on Rails - Victory Levy
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
 
Chapter 7 security tools i
Chapter 7   security tools iChapter 7   security tools i
Chapter 7 security tools i
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and Containers
 
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
 
Microprocessor.ppt
Microprocessor.pptMicroprocessor.ppt
Microprocessor.ppt
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
No[1][1]
No[1][1]No[1][1]
No[1][1]
 
G rpc talk with intel (3)
G rpc talk with intel (3)G rpc talk with intel (3)
G rpc talk with intel (3)
 
Again music
Again musicAgain music
Again music
 
Introduce: IBM Power Linux with PowerKVM
Introduce: IBM Power Linux with PowerKVMIntroduce: IBM Power Linux with PowerKVM
Introduce: IBM Power Linux with PowerKVM
 
Full PPT Stack
Full PPT StackFull PPT Stack
Full PPT Stack
 

More from Anne Nicolas

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
Anne Nicolas
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Anne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
Anne Nicolas
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Anne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Anne Nicolas
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Anne Nicolas
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
Anne Nicolas
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Anne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Anne Nicolas
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
Anne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
Anne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
Anne Nicolas
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
Anne Nicolas
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Anne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Anne Nicolas
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
Anne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Anne Nicolas
 

More from Anne Nicolas (20)

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 

Recently uploaded

02. Ruby Basic slides - Ruby Core Teaching
02. Ruby Basic slides - Ruby Core Teaching02. Ruby Basic slides - Ruby Core Teaching
02. Ruby Basic slides - Ruby Core Teaching
quanhoangd129
 
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
singhlata50dh
 
06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching
quanhoangd129
 
B.Sc. Computer Science Department PPT 2024
B.Sc. Computer Science Department PPT 2024B.Sc. Computer Science Department PPT 2024
B.Sc. Computer Science Department PPT 2024
vmsdeptcom
 
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
rachitkumar09887
 
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdfAI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
Daniel Zivkovic
 
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
OnePlan Solutions
 
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical SystemsInflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
Inflectra
 
09. Ruby Object Oriented Programming - Ruby Core Teaching
09. Ruby Object Oriented Programming - Ruby Core Teaching09. Ruby Object Oriented Programming - Ruby Core Teaching
09. Ruby Object Oriented Programming - Ruby Core Teaching
quanhoangd129
 
How to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at ScaleHow to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at Scale
Anchore
 
03. Ruby Variables & Regex - Ruby Core Teaching
03. Ruby Variables & Regex - Ruby Core Teaching03. Ruby Variables & Regex - Ruby Core Teaching
03. Ruby Variables & Regex - Ruby Core Teaching
quanhoangd129
 
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
902basic
 
01. Ruby Introduction - Ruby Core Teaching
01. Ruby Introduction - Ruby Core Teaching01. Ruby Introduction - Ruby Core Teaching
01. Ruby Introduction - Ruby Core Teaching
quanhoangd129
 
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
bhumivarma35300
 
Applitools Autonomous 2.0 Sneak Peek.pdf
Applitools Autonomous 2.0 Sneak Peek.pdfApplitools Autonomous 2.0 Sneak Peek.pdf
Applitools Autonomous 2.0 Sneak Peek.pdf
Applitools
 
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
norina2645
 
07. Ruby String Slides - Ruby Core Teaching
07. Ruby String Slides - Ruby Core Teaching07. Ruby String Slides - Ruby Core Teaching
07. Ruby String Slides - Ruby Core Teaching
quanhoangd129
 
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
bahubalikumar09988
 
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
andrehoraa
 
當測試開始左移
當測試開始左移當測試開始左移
當測試開始左移
Jersey (CHE-PING) Su
 

Recently uploaded (20)

02. Ruby Basic slides - Ruby Core Teaching
02. Ruby Basic slides - Ruby Core Teaching02. Ruby Basic slides - Ruby Core Teaching
02. Ruby Basic slides - Ruby Core Teaching
 
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
High Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 ...
 
06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching
 
B.Sc. Computer Science Department PPT 2024
B.Sc. Computer Science Department PPT 2024B.Sc. Computer Science Department PPT 2024
B.Sc. Computer Science Department PPT 2024
 
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
Agra Girls Call Agra 0X0000000X Unlimited Short Providing Girls Service Avail...
 
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdfAI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
AI - Your Startup Sidekick (Leveraging AI to Bootstrap a Lean Startup).pdf
 
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
 
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical SystemsInflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
 
09. Ruby Object Oriented Programming - Ruby Core Teaching
09. Ruby Object Oriented Programming - Ruby Core Teaching09. Ruby Object Oriented Programming - Ruby Core Teaching
09. Ruby Object Oriented Programming - Ruby Core Teaching
 
How to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at ScaleHow to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at Scale
 
03. Ruby Variables & Regex - Ruby Core Teaching
03. Ruby Variables & Regex - Ruby Core Teaching03. Ruby Variables & Regex - Ruby Core Teaching
03. Ruby Variables & Regex - Ruby Core Teaching
 
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
 
01. Ruby Introduction - Ruby Core Teaching
01. Ruby Introduction - Ruby Core Teaching01. Ruby Introduction - Ruby Core Teaching
01. Ruby Introduction - Ruby Core Teaching
 
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
 
Applitools Autonomous 2.0 Sneak Peek.pdf
Applitools Autonomous 2.0 Sneak Peek.pdfApplitools Autonomous 2.0 Sneak Peek.pdf
Applitools Autonomous 2.0 Sneak Peek.pdf
 
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
 
07. Ruby String Slides - Ruby Core Teaching
07. Ruby String Slides - Ruby Core Teaching07. Ruby String Slides - Ruby Core Teaching
07. Ruby String Slides - Ruby Core Teaching
 
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
 
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
PathSpotter: Exploring Tested Paths to Discover Missing Tests (FSE 2024)
 
當測試開始左移
當測試開始左移當測試開始左移
當測試開始左移
 

Kernel Recipes 2015: Kernel packet capture technologies

  • 1. Kernel packet capture technologies Éric Leblond Stamus Networks October 1, 2015 Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 1 / 54
  • 2. 1 Introduction 2 Why capture 3 Libcap and raw socket 4 AF_PACKET 5 PF_RING 6 AF_PACKET goes multi* 7 Netmap 8 Latest AF_PACKET evolution 9 ++zero copy 10 Conclusion Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 2 / 54
  • 3. Éric Leblond Co-founder of Stamus Networks Company providing network probe based on Suricata Focusing on bringing you the best of Suricata IDS technology Open source hacker Suricata core developer Netfilter core team member Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 4 / 54
  • 4. Raw socket: definition A raw socket is an internet socket that allows direct sending and receiving of Internet Protocol packets without any protocol-specific transport layer formatting. Wikipedia Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 6 / 54
  • 5. "The End of the Internet" [raw socket ...] spells catastrophe for the integrity of the Internet. Steve Gibson in 2001 Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 7 / 54
  • 6. "The End of the Internet" Talking about introduction of raw socket in MS Windows Allow users to write any packets Could be used to abuse protocol and [poorly implemented] OS More info at http://www.informit.com/articles/article.aspx?p=27289 Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 8 / 54
  • 7. Raw socket: usage Send and receive Send low level message: icmp, igmp Implement new protocol in userspace Sniffing Capture traffic Promiscuous mode Use by network monitoring tools Debugging tools: tcpdump, wireshark Monitoring tools: iptraf, ntop, NSA Intrusion detection systems: snort, bro, suricata Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 9 / 54
  • 8. Network Intrusion Detection System: definition An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. Wikipedia Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 10 / 54
  • 9. Network Intrusion Detection System: challenge IDS detection rule Some data Complexity of rule Work on recontructed stream Protocol field analysis Pattern recognition on ungzipped content (http_server_body) Got around 15000 rules in standard ruleset Need to inspect 10Gbps of trafic or more Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 11 / 54
  • 10. Suricata: Open source & multi threaded IDS IDS and IPS engine Get it here: http://www.suricata-ids.org Project started in 2008 Open Source (GPLv2) Funded by consortium members (and originaly US government) Run by Open Information Security Foundation (OISF) More information about OISF at http://www.oisf.net/ Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 12 / 54
  • 11. Suricata Features High performance, scalable through multi threading Protocol identification File identification, extraction, on the fly MD5 calculation TLS handshake analysis, detect/prevent things like Diginotar Hardware acceleration support: Useful logging like HTTP request log, TLS certificate log, DNS logging Lua scripting for detection Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 13 / 54
  • 12. libpcap Multi OS abstraction for packet capture All *nix, Windows Multi layer: Network, USB, . . . Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 15 / 54
  • 13. Raw socket: the initial implementation A dedicated socket type #include <sys / socket . h> #include < netinet / in . h> raw_socket = socket (AF_INET , SOCK_RAW, int protocol ) ; Straight socket mode Get packet per packet via recvmsg Optional ioctl Get timestamp Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 16 / 54
  • 14. Memories of another time "640 K ought to be enough for anybody." Memory contraint design No preallocation On demand only Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 17 / 54
  • 15. Disclaimer Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 18 / 54
  • 16. IDS design Monoprocess No Performance for you, go home now. Marty Roesch about multithread and network data processing, 2010 Suricata architecture Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 19 / 54
  • 17. NAPI (2001-200?) Reducing interrupts usage Interrupts tempest at high packet rate All CPU time is sued to handle the interrupts NIC driver needs to be updated No direct change for packet capture Change internal to device driver Direct performance impact on packet capture Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 21 / 54
  • 18. NAPI performance Table extracted from luca.ntop.org/Ring.pdf Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 22 / 54
  • 19. Problem of the socket mode Internal path Data in card buffer Data copied to skb Data copied to socket Data read and copied by userspace Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 23 / 54
  • 20. Memory map approach Sharing is the solution Kernel expose some memory Userspace access memory directly Spare a message sending for every packets mmap internal path Data in card buffer Data copied to skb Data copied to ring buffer Userspace access data via pointer in ring buffer Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 24 / 54
  • 21. TPACKET_V2 setup socket(): creation of the capture socket setsockopt(): allocation of the circular buffer (ring) via PACKET_RX_RING option mmap(): mapping of the allocated buffer to the user process capture poll(): to wait for incoming packets shutdown close(): destruction of the capture socket and deallocation of all associated resources. Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 25 / 54
  • 22. Memory organization Ascii art block #1 block #2 +---------+---------+ +---------+---------+ | frame 1 | frame 2 | | frame 3 | frame 4 | +---------+---------+ +---------+---------+ block #3 block #4 +---------+---------+ +---------+---------+ | frame 5 | frame 6 | | frame 7 | frame 8 | +---------+---------+ +---------+---------+ Components Frame contains a datagram data Blocks are physically contiguous region of memory Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 26 / 54
  • 23. Performance Graph extracted from luca.ntop.org/Ring.pdf Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 27 / 54
  • 24. Suricata architecture MMAP option Support of TPACKET_V2 Zero copy mode Implied changes Access data via pointer to ring buffer cell Release data callback Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 28 / 54
  • 25. PF_RING original design (2004) Architecture ring design mmap capture only interface skip kernel path put in ring buffer and discard user access the ring buffer Project Project started by Luca Deri Available as separate sources Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 30 / 54
  • 26. PF_RING performance Show real improvement on small size packets Pre optimisation result Better result in following version due to a better poll handling Table extracted from luca.ntop.org/Ring.pdf Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 31 / 54
  • 27. PF_RING going multicore (around 2008?) Sharing the load Each core has a finite bandwidth capability Multicore CPU were introduced in 2006 Sharing load become common Previously separate hardware was used to split the network load Straight forward solution Allow multiple sockets to be attached to one interface Load balance over the attached sockets Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 32 / 54
  • 28. Suricata autofp multi reader Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 33 / 54
  • 29. PF_RING code Build system and sources Custom build system No autotools or cmake Include patched drivers SVN stats g i t log −−format=format : "%s " | sort | uniq −c | sort −n | t a i l −n10 15 Minor change 20 f i x 20 minor changes 22 l i b refresh 30 Library refresh 43 minor change 67 minor f i x Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 34 / 54
  • 30. David Miller in da place Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 36 / 54
  • 31. AF_PACKET load balancing (2011) Multiple sockets on same interface Kernel does load balancing Multiple algorithms LB algorithm Round-robin Flow: all packets of a given flow are send to the same socket CPU: all packets treated in kernel by a CPU are send to the same socket Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 37 / 54
  • 32. AF_PACKET CPU Load balancing RSS queues Multiqueue NIC have multiple TX RX Data can be split in multiple queues Programmed by user Flow load balanced RSS queues load balancing NIC does load balancing using hash function CPU affinity is set to ensure we keep the cache line Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 38 / 54
  • 33. Suricata workers mode Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 39 / 54
  • 34. tpacket_v3 (2011) The problem Cell are fixed size Size is the one of biggest packet (MTU) Small packets use same memory as big one Variable size cells Ring buffer Update memory mapping to enable variable sizes Use a get pointer to next cell approach Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 40 / 54
  • 35. Netmap (2012) Similar approach than PF_RING skip kernel path put in ring buffer and discard User access the ring buffer Paired with network card ring More info http://queue.acm.org/detail.cfm?id=2103536 Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 42 / 54
  • 36. Performances Table by Luigi Rizzo Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 43 / 54
  • 37. AF_PACKET rollover option (2013) Single intensive flow Load balancing is flow based One intensive flow saturate core capacity Load needs to be shared Principle Move to next ring when ring is full As a load balancing mode As a fallback method Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 45 / 54
  • 38. Rollover and suricata (1/2) Graph by Victor Julien Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 46 / 54
  • 39. Rollover and suricata (2/2) A TCP streaming issue Rollover activation lead to out of order packets Fool TCP stream reconstruction by suricata Result in invalid streams Possible solution Evolve autofop multicapture Decode and dispatch packets Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 47 / 54
  • 40. DPDK (2012-) Data Plane Development Kit set of libraries and driver design for fast packet processing impact on software architecture Architecture multicore framework huge page memory ring buffers poll-mode drivers Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 48 / 54
  • 41. Suricata workers mode limit Packet treatment can be really long Involve I/O on disk or network Huge computation like regular expression Ring buffers are limited in size A slow packet can block a whole buffer Suricata need to dequeue faster Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 50 / 54
  • 42. Need to evolve Suricata architecture Switch to asynchronous Release ring buffer elements as fast as possible Buffer in userspace An enhanced autofp approach? Fast decode Copy data to packet pool of detect thread With a fast decision Release data Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 51 / 54
  • 43. Conclusion (1/2) A small subject and a huge evolution Has follow evolution of hardware architecture Always need to deal with more speed 10Gbps is common 100Gbps is in sight Multiple technologies Vanilla kernel propose some solutions Patching may be required to do more Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 53 / 54
  • 44. Conclusion (2/2) Do you have questions ? Contact me Mail: eleblond@stamus-networks.com Twitter: @Regiteric More information Suricata: http://www.suricata-ids.org PF_RING: http://www.ntop.org/products/packet-capture/pf_ring/ netmap: http://info.iet.unipi.it/~luigi/netmap/ dpdk: http://dpdk.org/ Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 54 / 54