Presentation is loading. Please wait.

Presentation is loading. Please wait.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 To the Terabyte and Beyond! Leveraging Pilot and Wireshark to Analyze Truly Massive Packet Traces.

Published byMerilyn Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "SHARKFEST ‘10 | Stanford University | June 14–17, 2010 To the Terabyte and Beyond! Leveraging Pilot and Wireshark to Analyze Truly Massive Packet Traces."— Presentation transcript:

1 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 To the Terabyte and Beyond! Leveraging Pilot and Wireshark to Analyze Truly Massive Packet Traces June 17, 2010 Loris Degioanni CTO | CACE Technologies SHARKFEST ‘10 Stanford University June 14-17, 2010

2 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Packet Aquisition

3 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Capture Card Dedicated card is essential – No network stack overhead – Minimizes copies – Optimizes locality – Filtering capability in the card normally not really useful Unless in some unusual conditions, the application wants to see everything PCI bus is the only resource that card filtering optimizes Any tap nowadays can do basic filtering – Small packets is the worst condition CACE Turbocap – Hybrid between home-built and off the shelf – No unnecessary features (who needs filtering?) – Affordable price

4 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 CPU Bottlenecks – CPU clock (expensive) – Number of CPUS (cheap) Multi-threading hard to leverage when capturing and processing network packets – Network monitoring is intrinsically sequential Locking is evil – Doing things more than once is better than locking At 10Gbps, cache coherency is a big deal Small packets is the worst condition

5 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Disk Bottlenecks – Single disk write speed – Number of spindles – Raid Controller – Big packets is the worst condition Solid State? Not a good idea yet – Single disk performance is not really the bottleneck – Cost is an important factor when you build a system with tens of disks – Reliability not as proven as the old magnetic disks

6 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Disk write speed based on position

7 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 I can capture a lot of packets. Now what? Read of packets must be non-disruptive! Even if I stop the capture process, since I was writing at full speed, reading the data is going to take around the same time of writing it – Read needs to be localized – I need high level visibility to reach the point I need Indexing

8 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Standalone card vs. kit A network card nowadays is not enough to build a functional packet capture system.

9 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Indexing While capturing, on a Shark Appliance capture job On a trace file, after the fact Summary of the network traffic – Volume, talkers and protocol information – Coordinated with the packet store – “Netflow on steroids” Designed to be extremely efficient in terms of disk usage Coordinated with the packet store

10 SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Indexing Index file Time intervals File Positions Time index pcap file Index entry Packet

Download ppt "SHARKFEST ‘10 | Stanford University | June 14–17, 2010 To the Terabyte and Beyond! Leveraging Pilot and Wireshark to Analyze Truly Massive Packet Traces."

Similar presentations

SHARKFEST 10 | Stanford University | June 14–17, 2010 Where NetFlow and Packet Capture Complement Each Other June 17 th, 2010 Michael Patterson CEO | Plixer.

SHARKFEST 10 | Stanford University | June 14–17, 2010 Where NetFlow and Packet Capture Complement Each Other June 17 th, 2010 Michael Patterson CEO | Plixer.
Case Study: Photo.net March 20, 2001. 2 What is photo.net? An online learning community for amateur and professional photographers 90,000 registered users.

Case Study: Photo.net March 20, What is photo.net? An online learning community for amateur and professional photographers 90,000 registered users.
SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, 2009 1:30 pm –

SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, :30 pm –
SHARKFEST '09 | Stanford University | June 15–18, 2009 WinPcap Dos and Donts Wednesday, June 17 th, 2009 Gianluca Varenni Senior Software Engineer | CACE.

SHARKFEST '09 | Stanford University | June 15–18, 2009 WinPcap Dos and Donts Wednesday, June 17 th, 2009 Gianluca Varenni Senior Software Engineer | CACE.
1 Log-Structured File Systems Hank Levy. 2 Basic Problem Most file systems now have large memory caches (buffers) to hold recently-accessed blocks Most.

1 Log-Structured File Systems Hank Levy. 2 Basic Problem Most file systems now have large memory caches (buffers) to hold recently-accessed blocks Most.
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Operating a Flexible Network Monitoring Infrastructure June 17, 2010 Dr Stephen Donnelly Core Software.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 Operating a Flexible Network Monitoring Infrastructure June 17, 2010 Dr Stephen Donnelly Core Software.
Crash Recovery John Ortiz. Lecture 22Crash Recovery2 Review: The ACID properties  Atomicity: All actions in the transaction happen, or none happens 

Crash Recovery John Ortiz. Lecture 22Crash Recovery2 Review: The ACID properties  Atomicity: All actions in the transaction happen, or none happens 
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008 Patrick.

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008 Patrick.
Multi-granular, multi-purpose and multi-Gb/s monitoring on off-the-shelf systems TELE9752 Group 3.

Multi-granular, multi-purpose and multi-Gb/s monitoring on off-the-shelf systems TELE9752 Group 3.
Lars Arge 1/43 Big Terrain Data Analysis Algorithms in the Field Workshop SoCG June 19, 2012 Lars Arge.

Lars Arge 1/43 Big Terrain Data Analysis Algorithms in the Field Workshop SoCG June 19, 2012 Lars Arge.
Top Causes for Poor Application Performance Case Studies Mike Canney.

Top Causes for Poor Application Performance Case Studies Mike Canney.
SHARKFEST '09 | Stanford University | June 15–18, 2009 Now and Then, How and When? June 16 th, 2009 Stephen Donnelly Technologist | Endace Technology SHARKFEST.

SHARKFEST '09 | Stanford University | June 15–18, 2009 Now and Then, How and When? June 16 th, 2009 Stephen Donnelly Technologist | Endace Technology SHARKFEST.
Backing Up a Hard Disk CGS2564. Why Backup Programs? Faster Optimized to copy files Can specify only files that have changed Safer Can verify backed up.

Backing Up a Hard Disk CGS2564. Why Backup Programs? Faster Optimized to copy files Can specify only files that have changed Safer Can verify backed up.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 10 Performance Tuning.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 10 Performance Tuning.
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 TAP’s Demystified June 16 th 2010 Samuel Battaglia Technical Manager | Network Critical SHARKFEST.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 TAP’s Demystified June 16 th 2010 Samuel Battaglia Technical Manager | Network Critical SHARKFEST.
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 The Shark Distributed Monitoring System: Distributing Wireshark Deep Packet Analysis to LAN/WAN.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 The Shark Distributed Monitoring System: Distributing Wireshark Deep Packet Analysis to LAN/WAN.
Symantec De-Duplication Solutions Complete Protection for your Information Driven Enterprise Richard Hobkirk Sr. Pre-Sales Consultant.

Symantec De-Duplication Solutions Complete Protection for your Information Driven Enterprise Richard Hobkirk Sr. Pre-Sales Consultant.
1 Advanced Database Technology February 12, 2004 DATA STORAGE (Lecture based on [GUW 11.2-11.5], [Sanders03, 1.3-1.5], and [MaheshwariZeh03, 3.1-3.2])

1 Advanced Database Technology February 12, 2004 DATA STORAGE (Lecture based on [GUW ], [Sanders03, ], and [MaheshwariZeh03, ])
CS 550 Amoeba-A Distributed Operation System by Saie M Mulay.

CS 550 Amoeba-A Distributed Operation System by Saie M Mulay.

Similar presentations

Ads by Google