SlideShare a Scribd company logo
Kernel packet capture technologies
Éric Leblond
Stamus Networks
October 1, 2015
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 1 / 54
1 Introduction
2 Why capture
3 Libcap and raw socket
4 AF_PACKET
5 PF_RING
6 AF_PACKET goes multi*
7 Netmap
8 Latest AF_PACKET evolution
9 ++zero copy
10 Conclusion
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 2 / 54
Éric Leblond
Co-founder of Stamus Networks
Company providing network probe based on Suricata
Focusing on bringing you the best of Suricata IDS technology
Open source hacker
Suricata core developer
Netfilter core team member
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 4 / 54
Raw socket: definition
A raw socket is an internet socket that allows direct sending and receiving of Internet
Protocol packets without any protocol-specific transport layer formatting.
Wikipedia
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 6 / 54
"The End of the Internet"
[raw socket ...] spells catastrophe for the integrity of the Internet.
Steve Gibson in 2001
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 7 / 54
"The End of the Internet"
Talking about introduction of raw socket in MS Windows
Allow users to write any packets
Could be used to abuse protocol and [poorly implemented] OS
More info at http://www.informit.com/articles/article.aspx?p=27289
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 8 / 54
Raw socket: usage
Send and receive
Send low level message: icmp, igmp
Implement new protocol in userspace
Sniffing
Capture traffic
Promiscuous mode
Use by network monitoring tools
Debugging tools: tcpdump, wireshark
Monitoring tools: iptraf, ntop, NSA
Intrusion detection systems: snort, bro, suricata
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 9 / 54
Network Intrusion Detection System: definition
An intrusion detection system (IDS) is a device or software application that monitors
network or system activities for malicious activities or policy violations and produces
reports to a management station.
Wikipedia
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 10 / 54
Network Intrusion Detection System: challenge
IDS detection rule
Some data
Complexity of rule
Work on recontructed stream
Protocol field analysis
Pattern recognition on ungzipped content (http_server_body)
Got around 15000 rules in standard ruleset
Need to inspect 10Gbps of trafic or more
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 11 / 54
Suricata: Open source & multi threaded IDS
IDS and IPS engine
Get it here: http://www.suricata-ids.org
Project started in 2008
Open Source (GPLv2)
Funded by consortium members (and originaly US
government)
Run by Open Information Security Foundation (OISF)
More information about OISF at
http://www.oisf.net/
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 12 / 54
Suricata Features
High performance, scalable through multi threading
Protocol identification
File identification, extraction, on the fly MD5 calculation
TLS handshake analysis, detect/prevent things like Diginotar
Hardware acceleration support:
Useful logging like HTTP request log, TLS certificate log, DNS logging
Lua scripting for detection
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 13 / 54
libpcap
Multi OS abstraction for packet capture
All *nix, Windows
Multi layer: Network, USB, . . .
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 15 / 54
Raw socket: the initial implementation
A dedicated socket type
#include <sys / socket . h>
#include < netinet / in . h>
raw_socket = socket (AF_INET , SOCK_RAW, int protocol ) ;
Straight socket mode
Get packet per packet via recvmsg
Optional ioctl
Get timestamp
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 16 / 54
Memories of another time
"640 K ought to be enough for anybody." Memory contraint design
No preallocation
On demand only
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 17 / 54
Disclaimer
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 18 / 54
IDS design
Monoprocess
No Performance for you, go home now.
Marty Roesch about multithread and network data processing, 2010
Suricata architecture
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 19 / 54
NAPI (2001-200?)
Reducing interrupts usage
Interrupts tempest at high packet rate
All CPU time is sued to handle the interrupts
NIC driver needs to be updated
No direct change for packet capture
Change internal to device driver
Direct performance impact on packet capture
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 21 / 54
NAPI performance
Table extracted from luca.ntop.org/Ring.pdf
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 22 / 54
Problem of the socket mode
Internal path
Data in card buffer
Data copied to skb
Data copied to socket
Data read and copied by userspace
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 23 / 54
Memory map approach
Sharing is the solution
Kernel expose some memory
Userspace access memory directly
Spare a message sending for every packets
mmap internal path
Data in card buffer
Data copied to skb
Data copied to ring buffer
Userspace access data via pointer in ring buffer
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 24 / 54
TPACKET_V2
setup
socket(): creation of the capture socket
setsockopt(): allocation of the circular buffer (ring) via PACKET_RX_RING option
mmap(): mapping of the allocated buffer to the user process
capture
poll(): to wait for incoming packets
shutdown
close(): destruction of the capture socket and deallocation of all associated resources.
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 25 / 54
Memory organization
Ascii art
block #1 block #2
+---------+---------+ +---------+---------+
| frame 1 | frame 2 | | frame 3 | frame 4 |
+---------+---------+ +---------+---------+
block #3 block #4
+---------+---------+ +---------+---------+
| frame 5 | frame 6 | | frame 7 | frame 8 |
+---------+---------+ +---------+---------+
Components
Frame contains a datagram data
Blocks are physically contiguous region of memory
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 26 / 54
Performance
Graph extracted from luca.ntop.org/Ring.pdf
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 27 / 54
Suricata architecture
MMAP option
Support of TPACKET_V2
Zero copy mode
Implied changes
Access data via pointer to ring buffer cell
Release data callback
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 28 / 54
PF_RING original design (2004)
Architecture
ring design
mmap
capture only interface
skip kernel path
put in ring buffer and discard
user access the ring buffer
Project
Project started by Luca Deri
Available as separate sources
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 30 / 54
PF_RING performance
Show real improvement on small size packets
Pre optimisation result
Better result in following version due to a better poll handling
Table extracted from luca.ntop.org/Ring.pdf
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 31 / 54
PF_RING going multicore (around 2008?)
Sharing the load
Each core has a finite bandwidth capability
Multicore CPU were introduced in 2006
Sharing load become common
Previously separate hardware was used to split the network load
Straight forward solution
Allow multiple sockets to be attached to one interface
Load balance over the attached sockets
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 32 / 54
Suricata autofp multi reader
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 33 / 54
PF_RING code
Build system and sources
Custom build system
No autotools or cmake
Include patched drivers
SVN stats
g i t log −−format=format : "%s " | sort | uniq −c | sort −n | t a i l −n10
15 Minor change
20 f i x
20 minor changes
22 l i b refresh
30 Library refresh
43 minor change
67 minor f i x
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 34 / 54
David Miller in da place
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 36 / 54
AF_PACKET load balancing (2011)
Multiple sockets on same interface
Kernel does load balancing
Multiple algorithms
LB algorithm
Round-robin
Flow: all packets of a given flow are send to the same socket
CPU: all packets treated in kernel by a CPU are send to the same socket
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 37 / 54
AF_PACKET CPU Load balancing
RSS queues
Multiqueue NIC have multiple TX RX
Data can be split in multiple queues
Programmed by user
Flow load balanced
RSS queues load balancing
NIC does load balancing using hash function
CPU affinity is set to ensure we keep the cache line
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 38 / 54
Suricata workers mode
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 39 / 54
tpacket_v3 (2011)
The problem
Cell are fixed size
Size is the one of biggest packet (MTU)
Small packets use same memory as big one
Variable size cells
Ring buffer
Update memory mapping to enable variable sizes
Use a get pointer to next cell approach
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 40 / 54
Netmap (2012)
Similar approach than PF_RING
skip kernel path
put in ring buffer and discard
User access the ring buffer
Paired with network card ring
More info http://queue.acm.org/detail.cfm?id=2103536
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 42 / 54
Performances
Table by Luigi Rizzo
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 43 / 54
AF_PACKET rollover option (2013)
Single intensive flow
Load balancing is flow based
One intensive flow saturate core capacity
Load needs to be shared
Principle
Move to next ring when ring is full
As a load balancing mode
As a fallback method
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 45 / 54
Rollover and suricata (1/2)
Graph by Victor Julien
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 46 / 54
Rollover and suricata (2/2)
A TCP streaming issue
Rollover activation lead to out of order packets
Fool TCP stream reconstruction by suricata
Result in invalid streams
Possible solution
Evolve autofop multicapture
Decode and dispatch packets
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 47 / 54
DPDK (2012-)
Data Plane Development Kit
set of libraries and driver
design for fast packet processing
impact on software architecture
Architecture
multicore framework
huge page memory
ring buffers
poll-mode drivers
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 48 / 54
Suricata workers mode limit
Packet treatment can be really long
Involve I/O on disk or network
Huge computation like regular expression
Ring buffers are limited in size
A slow packet can block a whole buffer
Suricata need to dequeue faster
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 50 / 54
Need to evolve Suricata architecture
Switch to asynchronous
Release ring buffer elements as fast as possible
Buffer in userspace
An enhanced autofp approach?
Fast decode
Copy data to packet pool of detect thread
With a fast decision
Release data
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 51 / 54
Conclusion (1/2)
A small subject and a huge evolution
Has follow evolution of hardware architecture
Always need to deal with more speed
10Gbps is common
100Gbps is in sight
Multiple technologies
Vanilla kernel propose some solutions
Patching may be required to do more
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 53 / 54
Conclusion (2/2)
Do you have questions ?
Contact me
Mail: eleblond@stamus-networks.com
Twitter: @Regiteric
More information
Suricata: http://www.suricata-ids.org
PF_RING: http://www.ntop.org/products/packet-capture/pf_ring/
netmap: http://info.iet.unipi.it/~luigi/netmap/
dpdk: http://dpdk.org/
Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 54 / 54

More Related Content

What's hot

Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
Brendan Gregg
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
Hao-Ran Liu
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPF
Brendan Gregg
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
Marian Marinov
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
Adrian Huang
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
Viller Hsiao
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Brendan Gregg
 
Memory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdfMemory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdf
Adrian Huang
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
lcplcp1
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
Adrian Huang
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
National Cheng Kung University
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
Buland Singh
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_maps
lcplcp1
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
Kernel TLV
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Anne Nicolas
 

What's hot (20)

Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPFVelocity 2017 Performance analysis superpowers with Linux eBPF
Velocity 2017 Performance analysis superpowers with Linux eBPF
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
 
Memory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdfMemory Compaction in Linux Kernel.pdf
Memory Compaction in Linux Kernel.pdf
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_maps
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
 

Viewers also liked

Libpcap
LibpcapLibpcap
Libpcap
liu qiang
 
Systemtap
SystemtapSystemtap
Systemtap
Feng Yu
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
Abhishek Khune
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programming
Kristian Arjianto
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and  techniquesDebugging linux kernel tools and  techniques
Debugging linux kernel tools and techniques
Satpal Parmar
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
Satpal Parmar
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control
anuragjagetiya
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
Anne Nicolas
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
Brendan Gregg
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
Xiaozhe Wang
 
Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013
Hajime Tazaki
 
Linux Kernel Library - Reusing Monolithic Kernel
Linux Kernel Library - Reusing Monolithic KernelLinux Kernel Library - Reusing Monolithic Kernel
Linux Kernel Library - Reusing Monolithic Kernel
Hajime Tazaki
 
Brocade Software Networking (SDN NFV Day ITB 2016)
Brocade Software Networking (SDN NFV Day ITB 2016)Brocade Software Networking (SDN NFV Day ITB 2016)
Brocade Software Networking (SDN NFV Day ITB 2016)
SDNRG ITB
 

Viewers also liked (13)

Libpcap
LibpcapLibpcap
Libpcap
 
Systemtap
SystemtapSystemtap
Systemtap
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programming
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and  techniquesDebugging linux kernel tools and  techniques
Debugging linux kernel tools and techniques
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
TCP protocol flow control
TCP protocol flow control TCP protocol flow control
TCP protocol flow control
 
Kernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyoneKernel Recipes 2015 - Hardened kernels for everyone
Kernel Recipes 2015 - Hardened kernels for everyone
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
 
Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013
 
Linux Kernel Library - Reusing Monolithic Kernel
Linux Kernel Library - Reusing Monolithic KernelLinux Kernel Library - Reusing Monolithic Kernel
Linux Kernel Library - Reusing Monolithic Kernel
 
Brocade Software Networking (SDN NFV Day ITB 2016)
Brocade Software Networking (SDN NFV Day ITB 2016)Brocade Software Networking (SDN NFV Day ITB 2016)
Brocade Software Networking (SDN NFV Day ITB 2016)
 

Similar to Kernel Recipes 2015: Kernel packet capture technologies

[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
hackersuli
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
PROIDEA
 
uCluster
uClusteruCluster
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
Bridging the gap between hardware and software tracing
Bridging the gap between hardware and software tracingBridging the gap between hardware and software tracing
Bridging the gap between hardware and software tracing
Christian Babeux
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
Joel W. King
 
Python on Rails - Victory Levy
Python on Rails - Victory LevyPython on Rails - Victory Levy
Python on Rails - Victory Levy
Hakka Labs
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
Stefano Salsano
 
Chapter 7 security tools i
Chapter 7   security tools iChapter 7   security tools i
Chapter 7 security tools i
Syaiful Ahdan
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and Containers
Kernel TLV
 
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PROIDEA
 
Microprocessor.ppt
Microprocessor.pptMicroprocessor.ppt
Microprocessor.ppt
safia kalwar
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
aaajjj4
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Michelle Holley
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Puppet
 
No[1][1]
No[1][1]No[1][1]
No[1][1]
51 lecture
 
G rpc talk with intel (3)
G rpc talk with intel (3)G rpc talk with intel (3)
G rpc talk with intel (3)
Intel
 
Again music
Again musicAgain music
Again music
variable_orr
 
Introduce: IBM Power Linux with PowerKVM
Introduce: IBM Power Linux with PowerKVMIntroduce: IBM Power Linux with PowerKVM
Introduce: IBM Power Linux with PowerKVM
Zainal Abidin
 
Full PPT Stack
Full PPT StackFull PPT Stack
Full PPT Stack
Wendi Sapp
 

Similar to Kernel Recipes 2015: Kernel packet capture technologies (20)

[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
uCluster
uClusteruCluster
uCluster
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Bridging the gap between hardware and software tracing
Bridging the gap between hardware and software tracingBridging the gap between hardware and software tracing
Bridging the gap between hardware and software tracing
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
 
Python on Rails - Victory Levy
Python on Rails - Victory LevyPython on Rails - Victory Levy
Python on Rails - Victory Levy
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
 
Chapter 7 security tools i
Chapter 7   security tools iChapter 7   security tools i
Chapter 7 security tools i
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and Containers
 
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
 
Microprocessor.ppt
Microprocessor.pptMicroprocessor.ppt
Microprocessor.ppt
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
 
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
No[1][1]
No[1][1]No[1][1]
No[1][1]
 
G rpc talk with intel (3)
G rpc talk with intel (3)G rpc talk with intel (3)
G rpc talk with intel (3)
 
Again music
Again musicAgain music
Again music
 
Introduce: IBM Power Linux with PowerKVM
Introduce: IBM Power Linux with PowerKVMIntroduce: IBM Power Linux with PowerKVM
Introduce: IBM Power Linux with PowerKVM
 
Full PPT Stack
Full PPT StackFull PPT Stack
Full PPT Stack
 

More from Anne Nicolas

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
Anne Nicolas
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Anne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
Anne Nicolas
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Anne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Anne Nicolas
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Anne Nicolas
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
Anne Nicolas
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Anne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Anne Nicolas
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
Anne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
Anne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
Anne Nicolas
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
Anne Nicolas
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Anne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Anne Nicolas
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
Anne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Anne Nicolas
 

More from Anne Nicolas (20)

Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 

Recently uploaded

The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
kalichargn70th171
 
The Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdfThe Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdf
mohitd6
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
Maitrey Patel
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
campbellclarkson
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
Jhone kinadey
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
Building API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructureBuilding API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructure
confluent
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio, Inc.
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
Pedro J. Molina
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
Yara Milbes
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
aeeva
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
Patrick Weigel
 
ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
Reetu63
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
sandeepmenon62
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
kalichargn70th171
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and MoreManyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
narinav14
 

Recently uploaded (20)

The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
 
The Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdfThe Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdf
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
Building API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructureBuilding API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructure
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
 
ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and MoreManyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
 

Kernel Recipes 2015: Kernel packet capture technologies

  • 1. Kernel packet capture technologies Éric Leblond Stamus Networks October 1, 2015 Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 1 / 54
  • 2. 1 Introduction 2 Why capture 3 Libcap and raw socket 4 AF_PACKET 5 PF_RING 6 AF_PACKET goes multi* 7 Netmap 8 Latest AF_PACKET evolution 9 ++zero copy 10 Conclusion Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 2 / 54
  • 3. Éric Leblond Co-founder of Stamus Networks Company providing network probe based on Suricata Focusing on bringing you the best of Suricata IDS technology Open source hacker Suricata core developer Netfilter core team member Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 4 / 54
  • 4. Raw socket: definition A raw socket is an internet socket that allows direct sending and receiving of Internet Protocol packets without any protocol-specific transport layer formatting. Wikipedia Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 6 / 54
  • 5. "The End of the Internet" [raw socket ...] spells catastrophe for the integrity of the Internet. Steve Gibson in 2001 Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 7 / 54
  • 6. "The End of the Internet" Talking about introduction of raw socket in MS Windows Allow users to write any packets Could be used to abuse protocol and [poorly implemented] OS More info at http://www.informit.com/articles/article.aspx?p=27289 Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 8 / 54
  • 7. Raw socket: usage Send and receive Send low level message: icmp, igmp Implement new protocol in userspace Sniffing Capture traffic Promiscuous mode Use by network monitoring tools Debugging tools: tcpdump, wireshark Monitoring tools: iptraf, ntop, NSA Intrusion detection systems: snort, bro, suricata Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 9 / 54
  • 8. Network Intrusion Detection System: definition An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. Wikipedia Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 10 / 54
  • 9. Network Intrusion Detection System: challenge IDS detection rule Some data Complexity of rule Work on recontructed stream Protocol field analysis Pattern recognition on ungzipped content (http_server_body) Got around 15000 rules in standard ruleset Need to inspect 10Gbps of trafic or more Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 11 / 54
  • 10. Suricata: Open source & multi threaded IDS IDS and IPS engine Get it here: http://www.suricata-ids.org Project started in 2008 Open Source (GPLv2) Funded by consortium members (and originaly US government) Run by Open Information Security Foundation (OISF) More information about OISF at http://www.oisf.net/ Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 12 / 54
  • 11. Suricata Features High performance, scalable through multi threading Protocol identification File identification, extraction, on the fly MD5 calculation TLS handshake analysis, detect/prevent things like Diginotar Hardware acceleration support: Useful logging like HTTP request log, TLS certificate log, DNS logging Lua scripting for detection Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 13 / 54
  • 12. libpcap Multi OS abstraction for packet capture All *nix, Windows Multi layer: Network, USB, . . . Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 15 / 54
  • 13. Raw socket: the initial implementation A dedicated socket type #include <sys / socket . h> #include < netinet / in . h> raw_socket = socket (AF_INET , SOCK_RAW, int protocol ) ; Straight socket mode Get packet per packet via recvmsg Optional ioctl Get timestamp Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 16 / 54
  • 14. Memories of another time "640 K ought to be enough for anybody." Memory contraint design No preallocation On demand only Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 17 / 54
  • 15. Disclaimer Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 18 / 54
  • 16. IDS design Monoprocess No Performance for you, go home now. Marty Roesch about multithread and network data processing, 2010 Suricata architecture Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 19 / 54
  • 17. NAPI (2001-200?) Reducing interrupts usage Interrupts tempest at high packet rate All CPU time is sued to handle the interrupts NIC driver needs to be updated No direct change for packet capture Change internal to device driver Direct performance impact on packet capture Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 21 / 54
  • 18. NAPI performance Table extracted from luca.ntop.org/Ring.pdf Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 22 / 54
  • 19. Problem of the socket mode Internal path Data in card buffer Data copied to skb Data copied to socket Data read and copied by userspace Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 23 / 54
  • 20. Memory map approach Sharing is the solution Kernel expose some memory Userspace access memory directly Spare a message sending for every packets mmap internal path Data in card buffer Data copied to skb Data copied to ring buffer Userspace access data via pointer in ring buffer Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 24 / 54
  • 21. TPACKET_V2 setup socket(): creation of the capture socket setsockopt(): allocation of the circular buffer (ring) via PACKET_RX_RING option mmap(): mapping of the allocated buffer to the user process capture poll(): to wait for incoming packets shutdown close(): destruction of the capture socket and deallocation of all associated resources. Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 25 / 54
  • 22. Memory organization Ascii art block #1 block #2 +---------+---------+ +---------+---------+ | frame 1 | frame 2 | | frame 3 | frame 4 | +---------+---------+ +---------+---------+ block #3 block #4 +---------+---------+ +---------+---------+ | frame 5 | frame 6 | | frame 7 | frame 8 | +---------+---------+ +---------+---------+ Components Frame contains a datagram data Blocks are physically contiguous region of memory Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 26 / 54
  • 23. Performance Graph extracted from luca.ntop.org/Ring.pdf Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 27 / 54
  • 24. Suricata architecture MMAP option Support of TPACKET_V2 Zero copy mode Implied changes Access data via pointer to ring buffer cell Release data callback Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 28 / 54
  • 25. PF_RING original design (2004) Architecture ring design mmap capture only interface skip kernel path put in ring buffer and discard user access the ring buffer Project Project started by Luca Deri Available as separate sources Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 30 / 54
  • 26. PF_RING performance Show real improvement on small size packets Pre optimisation result Better result in following version due to a better poll handling Table extracted from luca.ntop.org/Ring.pdf Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 31 / 54
  • 27. PF_RING going multicore (around 2008?) Sharing the load Each core has a finite bandwidth capability Multicore CPU were introduced in 2006 Sharing load become common Previously separate hardware was used to split the network load Straight forward solution Allow multiple sockets to be attached to one interface Load balance over the attached sockets Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 32 / 54
  • 28. Suricata autofp multi reader Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 33 / 54
  • 29. PF_RING code Build system and sources Custom build system No autotools or cmake Include patched drivers SVN stats g i t log −−format=format : "%s " | sort | uniq −c | sort −n | t a i l −n10 15 Minor change 20 f i x 20 minor changes 22 l i b refresh 30 Library refresh 43 minor change 67 minor f i x Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 34 / 54
  • 30. David Miller in da place Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 36 / 54
  • 31. AF_PACKET load balancing (2011) Multiple sockets on same interface Kernel does load balancing Multiple algorithms LB algorithm Round-robin Flow: all packets of a given flow are send to the same socket CPU: all packets treated in kernel by a CPU are send to the same socket Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 37 / 54
  • 32. AF_PACKET CPU Load balancing RSS queues Multiqueue NIC have multiple TX RX Data can be split in multiple queues Programmed by user Flow load balanced RSS queues load balancing NIC does load balancing using hash function CPU affinity is set to ensure we keep the cache line Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 38 / 54
  • 33. Suricata workers mode Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 39 / 54
  • 34. tpacket_v3 (2011) The problem Cell are fixed size Size is the one of biggest packet (MTU) Small packets use same memory as big one Variable size cells Ring buffer Update memory mapping to enable variable sizes Use a get pointer to next cell approach Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 40 / 54
  • 35. Netmap (2012) Similar approach than PF_RING skip kernel path put in ring buffer and discard User access the ring buffer Paired with network card ring More info http://queue.acm.org/detail.cfm?id=2103536 Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 42 / 54
  • 36. Performances Table by Luigi Rizzo Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 43 / 54
  • 37. AF_PACKET rollover option (2013) Single intensive flow Load balancing is flow based One intensive flow saturate core capacity Load needs to be shared Principle Move to next ring when ring is full As a load balancing mode As a fallback method Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 45 / 54
  • 38. Rollover and suricata (1/2) Graph by Victor Julien Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 46 / 54
  • 39. Rollover and suricata (2/2) A TCP streaming issue Rollover activation lead to out of order packets Fool TCP stream reconstruction by suricata Result in invalid streams Possible solution Evolve autofop multicapture Decode and dispatch packets Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 47 / 54
  • 40. DPDK (2012-) Data Plane Development Kit set of libraries and driver design for fast packet processing impact on software architecture Architecture multicore framework huge page memory ring buffers poll-mode drivers Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 48 / 54
  • 41. Suricata workers mode limit Packet treatment can be really long Involve I/O on disk or network Huge computation like regular expression Ring buffers are limited in size A slow packet can block a whole buffer Suricata need to dequeue faster Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 50 / 54
  • 42. Need to evolve Suricata architecture Switch to asynchronous Release ring buffer elements as fast as possible Buffer in userspace An enhanced autofp approach? Fast decode Copy data to packet pool of detect thread With a fast decision Release data Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 51 / 54
  • 43. Conclusion (1/2) A small subject and a huge evolution Has follow evolution of hardware architecture Always need to deal with more speed 10Gbps is common 100Gbps is in sight Multiple technologies Vanilla kernel propose some solutions Patching may be required to do more Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 53 / 54
  • 44. Conclusion (2/2) Do you have questions ? Contact me Mail: eleblond@stamus-networks.com Twitter: @Regiteric More information Suricata: http://www.suricata-ids.org PF_RING: http://www.ntop.org/products/packet-capture/pf_ring/ netmap: http://info.iet.unipi.it/~luigi/netmap/ dpdk: http://dpdk.org/ Éric Leblond (Stamus Networks) Kernel packet capture technologies October 1, 2015 54 / 54