Full-rate Gigabit Capture
Full-rate Gigabit Ethernet packet capture is most needed when your network is exhibiting poor performance. There could be many reasons for this including one in which your network is under attack. These are the times when it is important to be able capture traffic from your network without dropping any packets. TurboCap supports full-rate Gigabit capture with even the smallest packet sizes (64 bytes), which is the most challenging situation. Moreover, TurboCap can support simultaneous full-rate packet capture on two ports, which adds to your ability to get improved network visibility.
Aggregation of Gigabit Ethernet Traffic
Capturing traffic in timestamp order from two different sources is a common and important network analysis requirement. This is referred to as "aggregation" and provides a means to measure packet delays between two sources, such as the ingress and egress of a switch or router. TurboCap supports full-rate traffic aggregation of the traffic received on both ports of the same board. This is presented to the user as a virtual port called a Board Aggregating Port (BAP).
TurboCap also supports aggregation of all of the ports on all of the TurboCap boards installed on your system. This capability affords the opportunity to aggregate more than two traffic sources in a single capture.
Pass-thru Mode
Often the preferred way to capture traffic is to tap into your network. TurboCap can emulate a network tap by being configured to inject the traffic received from one port to the other port on the same board. When the board in is in pass-thru mode, the injection is done simultaneously for both ports of the same board and, consequently, TurboCap can act as a Network Tap.
In the figure to the right, the gray blocks along the top edge represent a full duplex link with network traffic flowing in both directions. TurboCap, in pass-thru mode, can be inserted into a full duplex link in such a way that it preserves the traffic along the full duplex link. In the figure, Port A captures the traffic going from left-to-right, injects it back into the full duplex link through Port B, and also passes the captured traffic to user-level applications. On the other hand, Port B captures the traffic going from right-to-left, injects it back into the full duplex link through Port A, and also passes the captured traffic to user-level applications.
It is important to note that the combination of pass-thru mode and and board aggregation provides the functionality of an aggregating tap.
Application Performance
The TurboCap card and optimized driver are capable of capturing full rate Gigabit Ethernet traffic simultaneously on both ports and delivering this data to an application. The overall application performance is often determined by a number of additional factors such as the application s computational tasks, disk write speed, CPU speed, and main memory size. TurboCap is integrated with WinPcap/ libpcap and, consequently, supports applications such as Wireshark, Windump/tcpdump, and Ntop. Note that when using these applications with TurboCap, the capture performance at high data rates will be determined by the specific application. For more information on Wireshark performance in various load scenarios, seehttp://wiki.wireshark.org/Performance.
Full-rate Gigabit Ethernet Traffic Injection
For stress testing your network, TurboCap offers full-rate simultaneous Gigabit Ethernet traffic injection on both ports. The TurboCap API is available for developing a wide range of traffic injection applications, e.g. vulnerability testing, etc. Packet sizes can range from 64 bytes to 9234 bytes (jumbo frames) and packets are transmitted in the order they are sent to the driver with minimal delay.
Timestamps
TurboCap offers a range of timestamp modes which trade timestamp accuracy for CPU utilization. You have the option of choosing the timestamp mode that best suits your needs, from highly accurate timestamps to no timestamp generation.
Polling Mode. In this mode, a CPU polls for packet arrivals and timestamps the packet as soon as it is available from the board. These timestamps are very accurate (microsecond accuracy) but require a CPU to be running in a busy wait loop.
Timer Mode. Timer mode uses a 1ms timer to periodically timestamp incoming packets. This puts very little load on the CPU and provides timestamps with millisecond accuracy.
Off. In this case, no timestamps are generated and the timestamp fields in the packet meta-information are set to zero.
TurboCap Performance and Recommended Hardware
The TurboCap capture board and optimized drivers (Windows and Linux Fedora 10) are only two of the components that determine the overall capture performance of your system. The TurboCap board is based on a 4 lane PCIe host interface. In order to achieve maximum performance of your TurboCap system, we recommend the following minimum hardware requirements:
PCIe: The TurboCap board requires either x4 or x8 PCI Express slots with 4 lanes available for the TurboCap board
CPU: Pentium-D (dual core) processor or multiple CPUs (SMP), 2.8GHz
Memory: 2GB RAM
Disk: Full-rate dump-to-disk requires disk arrays that have sufficient capacity and speed to keep up with full-rate Gigabit Ethernet. Disk capacity and speed can be achieved using highly parallel disk arrays.
收藏葩星
400-878-1895
px51870017
1752902151
13296027252
