On Wed, Oct 10, 2012 at 3:43 PM, Daniel Borkmann <[email protected]> wrote:
> On Wed, Oct 10, 2012 at 1:32 PM, <[email protected]> wrote:
>> One more query is:
>>
>> 1) Currently you are reading the pcap frame into a TX_RING slot. Post that
>> it is sent to NIC. Can I read a pcap frame into a buffer, decide some
>> filtering on the buffer and if passed, decide which NIC's TX_RING slot to
>> send that packet?
>>
>> That way, if I have filter specific to 8 NIC cards, and I read a pcap frame
>> buffer, I can just read that buffer, decide which NIC that frame has to go
>> and then send?
>>
>> Specifically, in pcap to tx function: This reads pkt header to a NIC card.
>> Instead can I read to a temprary buffer and then decide?
>
> Ok, to answer your questions all at once ... what you want sounds
> reasonable to me. In the Linux kernel, a ring buffer (TX_RING) always
> has to be bound to a particular device before you can fill it with
> frames. Our current architecture does not allocate #NICs TX_RINGs
> reads a pcap and based on a filter passes the packet to one particular
> TX_RING slot. What you could do here is to start #NICs instances of
> netsniff-ng, each bound to a different CPU and with a different filter
> applied. This would give you the same behaviour that you would like to
> have, except that each instance has to read this pcap (but here you
> can read it efficiently with mmap or scatter/gather io).
>
> Speaking about this temporary buffer, we use a ring slot as temporary
> buffer so that we don't need to additionally copy the temp. buffer in
> to the slot again. Thus, we also execute the BPF filtering on that
> ring slot buffer. This saves way more resources because you can avoid
> one packet copy.
Alternatively, you can also transform the pcap with a filter applied
to it into a trafgen config file, and replay only the relevant packets
efficiently through trafgen. In this case, you also need to start
#NICs instances of trafgen, but you don't need to go through the whole
pcap file and the packets for transmission are loaded into memory on
startup time. If you use trafgen, make sure you have an up-to-date
kernel, e.g. 3.6.1 or the like.
>> while (user_may_pull_from_tx(tx_ring.frames[it].iov_base)) {
>> struct pcap_pkthdr phdr;
>> hdr = tx_ring.frames[it].iov_base;
>> /* Kernel assumes: data = ph.raw + po->tp_hdrlen -
>> * sizeof(struct sockaddr_ll); */
>> out = ((uint8_t *) hdr) + TPACKET_HDRLEN -
>> sizeof(struct sockaddr_ll);
>>
>> do {
>> memset(&phdr, 0, sizeof(phdr));
>> ret =
>> pcap_ops[mode->pcap]->read_pcap_pkt(fd, &phdr,
>> out,
>> ring_frame_size(&tx_ring));
>> if (unlikely(ret <= 0))
>> goto out;
>> if (ring_frame_size(&tx_ring) < phdr.len) {
>> phdr.len = ring_frame_size(&tx_ring);
>> trunced++;
>> }
>> } while (mode->filter && !bpf_run_filter(&bpf_ops,
>> out, phdr.len));
>> pcap_pkthdr_to_tpacket_hdr(&phdr, &hdr->tp_h);
>>
>>
>>
>> On Monday, October 8, 2012 7:02:07 PM UTC+5:30, Daniel Borkmann wrote:
>>> On Mon, Oct 8, 2012 at 12:34 PM, <[email protected]> wrote:
>>>
>>> > I downloaded and compiled the netsniff-ng. The replay works perfectly for
>>> > 10G and 1G rates, well above other open source softwares. I have achieved
>>> > around close to 2.6 Mpps with 512 byte packets and close to 5Mpps in 10G
>>> > Intel Ixgbe card.
>>>
>>>
>>>
>>> Thanks for using netsniff-ng!
>>>
>>>
>>>
>>> > I have a few queries:
>>>
>>> >
>>>
>>> > 1) In the code for netnsiff-ng, it expects bpf filter which is applied on
>>> > the Pcap file. Can I instead apply the filter on the TxRing ie. the Intel
>>> > NIC card? So that multiple TxRings can have multiple filters.
>>>
>>> >
>>>
>>> > eg. eth1#SrcPort=1233-1244
>>>
>>> > eth2#IPSrc=1.2.3.4/16 etc.
>>>
>>>
>>>
>>> In netsniff-ng's replay, the BPF filter is run from userspace since it
>>>
>>> only exists in the Linux kernel for ingress packets. You can do the
>>>
>>> following alternative: Run multiple replay instances in parallel on
>>>
>>> bound to different devices (--dev) and with different filters
>>>
>>> (--filter). This should do the same trick.
>>>
>>>
>>>
>>> > 2) One more requirement is that, is it possible to get a bpf filter from
>>> > command line in a human readable format like SrcPort like the one in
>>> > tcpreplay ?
>>>
>>>
>>>
>>> Tobias is working on that. Indeed, until now we only have a low-level
>>>
>>> compiler for a filter, but we're working on a higher-level language
>>>
>>> for easier usage. What you could so for the moment as a workaround is
>>>
>>> to abuse tcpdump for this. "tcpdump -dd <filter>" will output you some
>>>
>>> BPF opcodes that you can store in a file and then pass to netsniff-ng
>>>
>>> as --filter.
>>
>> --
>>
>>
--
