With Scott Schweitzer, Myricom
If you’re planning on attending Black Hat USA 2012 at Caesar’s Palace in Las Vegas, be sure to stop by the Emulex booth to see a demonstration of FastStack Sniffer10G working with Suricata, at booth #141 at the show. And, we’re also giving away ten passes to the Gun Store for their Zombie package Thursday afternoon!
Of particular excitement for our Implementer’s Lab team is the demonstration that we built that highlights our new OneConnect® OCe12000 10Gb Ethernet (10GbE) Network Xceleration™ solution running FastStack Sniffer10G with Suricata (see our announcement here, for more information). This demo showcases the key performance benefit of moving to OneConnect Network Xceleration over using a standard network adapter.
In this demonstration, we will show server-efficient 10Gb bandwidth and 100 percent lossless performance of the OCe12000 adapter with FastStack Sniffer10G software. This solution can provide network traffic capture, injection and analysis for performance-sensitive and mission-critical market segments, such as network surveillance, monitoring and analysis, deep packet inspection (DPI), test and measurement, and distributed denial-of-service (DDoS) defense appliances. Our demonstration highlights the performance aspect required of these missions by showing maximum 10Gb Ethernet (10GbE) performance when passing typical enterprise-class traffic of more than 3.5 million packets per second, while not dropping a single packet. Generic 10GbE cards leveraging Suricata encountering this level of traffic will typically drop 70% of the incoming packets.
Suricata with FastStack Sniffer10G
To leverage the performance of FastStack Sniffer10G with Suricata, several things must be done in the proper order:
- Install Sniffer10G:This package includes both a firmware program for the Emulex NX adapter and a new device driver for both Linux and Windows. To obtain the code, you’ll need to log on to Myricom’s website and download the latest build of Sniffer10G for your Linux or Windows system. You’ll then need to install the code, confirm that the adapter is licensed to run Sniffer10G, and confirm that the driver is loaded properly. Sniffer10G also includes several utilities for testing both packet capture and generation, these can be used to confirm connectivity.
- Build Suricata with Sniffer10G: Suricata is designed to run with a number of adapters. Once you’ve downloaded the Suricata code, make sure that when you configure the build, prior to making the drivers, that you include the necessary flags to utilize Sniffer10Gs libraries in the process.
- Tune Suricata: The configuration file is /etc/suricata/suricata.yaml and there are a number of changes that can me made that will greatly improve system performance.
Running Suricata with FastStack Sniffer10G
To run Suricata with Sniffer10G, you also need to pass in some environment variables that define the number of Sniffer10G buffers to setup and the flags that define how to connect those buffers to threads. Typically, these variables are: SNF_NUM_RINGS=16 and SNF_FLAGS=0×1
How to Test at 3.5 Million Packets per Second Using Real Traffic
The packet capture (pcap) file being played back contains 2,049 unique packets and SNF_REPLAY loops through this file 2500 times to generate a traffic stream of 5.12 million packets. It then injects these packets on the wire, in this case at wire rate, to achieve a packet rate of 3.58 million packets per second (Mpps) at a bandwidth of 9.279 Gbps. The difference between this bandwidth and 10Gbps is overhead, for example the inter-packet spacing on the wire.
Fig 2. Sniffer10G Replay tool usage
We will have this solution running live in our booth #141 at Black Hat USA in Las Vegas Nevada. Please feel free to stop by our booth and ask for us to give you a proper demonstration. We look forward to seeing you at Black Hat.