Thursday, January 22, 2015

Performance 10GbE Capture & Time Stamping

From the Sony to Park-n-Fly, we're seeing the impact data breaches can have on corporations. Towards that end many companies are beginning to consider looking at all the data that both enters & leaves their enterprise in an attempt to thwart breaches as they occur. At the heart of this effort lies wire-rate lossless 10GbE capture. Furthermore some customers are seeking highly accurate time stamps on all captured packets so performance can be measured, and issues can easily be tracked and collated across an enterprise against the backing of a solid, trusted temporal (time based) infrastructure. So to capture both received and transmitted packets on two 10G interfaces in parallel, and with time stamps you only have one choice for those looking for an adapter/software bundle under $5K and that is Solarflare’s SFN7142Q-SCP. This is Solarflare’s SFN7142Q adapter with a PPS bracket kit, a Precision Time Protocol (PTP), and a SolarCapture Pro license. Note you will need to order a pair of QSA modules separately, due to agency certification issues.

So why has Solarflare gone to the trouble of bundling together all of these parts? Simple, to make it easier for potential customers to try out precision packet capture with highly accurate time stamps. Let's take a moment, and decompose this bundle into its component pieces to fully appreciate why this is so important.

First we'll starting with the network server adapter, the Solarflare SFN7142Q. This board is driven by a single Solarflare dual core ethernet controller chip. Each ethernet controller core on this chip has multiple packet engines for both receive and transmit queues. This enables the adapter to support wire-rate lossless packet capture even with huge bursts of the smallest sized packets (64 bytes each). Furthermore this adapter has the capability to also transmit wire-rate 64-byte packets at the same time, on the same interface. Solarflare's capture bundle also includes the PPS (Pulse Per Second) bracket kit that provides the necessary mini-BNC connectors that attach the adapter to an external master clock. Unlike similar adapters there is also a second mini-BNC connector to support daisy chaining the clock signal out of the adapter into another adapter. The SFN7142Q includes a highly precise clock chip, the Stratum 3, this ensure that time stamping is accurate to within 50 nanoseconds from the PTP master. This is 30X more precise than a competing adapter that only captures and time stamps inbound packets.

While the SFN7142Q sports two 40GbE QSFP ports, to ensure wire-rate lossless packet capture Solarflare provides two QSA modules (which you must order separately) that convert the QSFP socket into 10G SFP+ sockets. This enables each of the two ethernet controller cores on the adapter to each focus on a single 10GbE interface.

Three software license keys are preloaded in the SFN7142Q adapter, and they are: OpenOnload (OOL), Precision Time Protocol (PTP), and SolarCapture Pro (SCP). OpenOnload is Solarflare’s user space stack that permits it to do a zero copy bypass of the operating system, and place the captured data directly into memory connected to the core processing that particular data flow. Precision Time Protocol is a method whereby the external pulse per second master clock can be rationalized to the real time of day then distributed to other applications or servers. Finally, we have SolarCapture Pro. When it comes to capture, SolarCapture Pro is arguably the best. Unlike some other solutions it also captures transmitted packets, and can time stamp both in-bound & out-bound packets, all features only found in higher priced FPGA based solutions. Also SCP can be initialized in cluster mode to spawn multiple capture instances, one per core delivering the data in Libpcap format, then flow-hash the data across all of the cores within the cluster. Flow-hashing is the process of looking at several key fields in the packet header then routing all the traffic from a given source & destination always to the same core so security applications like Snort, Bro & Suricata see all the data for a given network flow.

So if you’re looking to get into packet capture for performance monitoring, or security programs please consider contacting Solarflare, and asking about their SFN7142Q-SCP. You’ll be pleasantly surprised how it performs when compared to much more expensive FPGA based solutions. Finally, in a future post we'll talk about Capture SolarSystem that leverages all the above to deliver an appliance tuned for high volume packet capture.

No comments:

Post a Comment