From: "Morten Brørup" <mb@smartsharesystems.com>
To: "Arnon Warshavsky" <arnon@qwilt.com>,
"Bruce Richardson" <bruce.richardson@intel.com>
Cc: dev@dpdk.org
Subject: Re: [dpdk-dev] tcpdump support in DPDK 2.3
Date: Wed, 16 Dec 2015 12:56:27 +0100 [thread overview]
Message-ID: <98CBD80474FA8B44BF855DF32C47DC358AF770@smartserver.smartshare.dk> (raw)
In-Reply-To: <CAKy9EB3JRJSuqnzb=i96wYi9DNQdXG9qrJET_g4zMfD=m1UuYQ@mail.gmail.com>
Great idea, Arnon. Let’s look at existing use cases from the real world.
Our company makes network appliances. They are not running GNU/Linux or similar, so they do not offer a BASH prompt or any other BSD/Linux like command line interface.
Here’s a simplified description of how the user interacts with the packet capture feature in our appliances:
Our GUI allows you to input a filter, e.g. a MAC address, an IP address or a compiled BPF program as a single hexadecimal string (roughly “tcpdump –ddd” output), and start capturing. The captured packets can then be downloaded from the GUI in pcap format.
The other packet filters our appliance needs, e.g. DHCP, ARP etc., are not provided by the user (or by any other external interaction), but are hardcoded in C, just like any other part of our firmware.
Med venlig hilsen / kind regards
Morten Brørup
CTO
SmartShare Systems A/S
Tonsbakken 16-18
DK-2740 Skovlunde
Denmark
Office +45 70 20 00 93
Direct +45 89 93 50 22
Mobile +45 25 40 82 12
mb@smartsharesystems.com <mailto:mb@smartsharesystems.com>
www.smartsharesystems.com <http://www.smartsharesystems.com/>
From: Arnon Warshavsky [mailto:arnon@qwilt.com]
Sent: 16. december 2015 12:37
To: Bruce Richardson
Cc: Matthew Hall; dev@dpdk.org; Morten Brørup
Subject: Re: [dpdk-dev] tcpdump support in DPDK 2.3
2 points from our experience in saving pcap files from a dpdk 10G fire hose:
1)
Our capture module provides a small "bit-vector" to the code that handles the packets.
Since our packet processing code is already finding out basic stuff about the packet traversing it (is it IPv4? v6? is it TCP? is it fragmented? ..etc), it sets the relevant bits ON as it goes ,so that the capture module can later quickly (mask against desired filters) decide if the a packet needs to be captured.
Point is - when a capture layer exposes a slim API that lets it utilize info coming from other modules , its easier and less expensive to handle the fire hose.
2)
In many cases we are interested in capturing complete TCP flows, or at least the first X packets of them.
In this case, A more expensive filter may be applied only on the SYN packet and when matches, turns ON a bit on the tcp flow applicative context that says we want to capture any packet falling under this tuple.
Point is - applicative filters at different costs are applied on different packet types utilizing the mask from the previous bullet
Such a model should obviously need to be optional on a formal capture layer,
but when dealing with a fire hose - I find it very useful.
/Arnon
next prev parent reply other threads:[~2015-12-16 11:56 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-14 9:57 Morten Brørup
2015-12-14 15:45 ` Aaron Conole
2015-12-14 15:48 ` Thomas Monjalon
2015-12-14 18:29 ` Matthew Hall
2015-12-14 19:14 ` Stephen Hemminger
2015-12-14 22:23 ` Matthew Hall
2015-12-14 19:17 ` Aaron Conole
2015-12-14 21:29 ` Kyle Larose
2015-12-14 22:36 ` Matthew Hall
2015-12-16 10:45 ` Bruce Richardson
2015-12-16 11:37 ` Arnon Warshavsky
2015-12-16 11:56 ` Morten Brørup [this message]
2015-12-16 11:40 ` Morten Brørup
2015-12-16 11:56 ` Bruce Richardson
2015-12-16 12:26 ` Morten Brørup
2015-12-16 13:12 ` Bruce Richardson
2015-12-16 22:45 ` Morten Brørup
2015-12-16 23:38 ` Matthew Hall
2015-12-17 5:59 ` Arnon Warshavsky
2015-12-16 18:15 ` Matthew Hall
2015-12-21 15:39 ` Bruce Richardson
2015-12-21 16:08 ` Morten Brørup
2015-12-21 16:17 ` Gray, Mark D
2015-12-21 17:22 ` Matthew Hall
2015-12-21 16:11 ` Gray, Mark D
2015-12-14 22:25 ` Matthew Hall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=98CBD80474FA8B44BF855DF32C47DC358AF770@smartserver.smartshare.dk \
--to=mb@smartsharesystems.com \
--cc=arnon@qwilt.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).