Presentation is loading. Please wait.

Presentation is loading. Please wait.

An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, FFPF: Fairly Fast Packet Filters Herbert Bos Vrije Universiteit.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, FFPF: Fairly Fast Packet Filters Herbert Bos Vrije Universiteit."— Presentation transcript:

1 An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb FFPF: Fairly Fast Packet Filters Herbert Bos Vrije Universiteit Amsterdam herbertb @ cs.vu.nl http://ffpf.sourceforge.net uspace kspace nspace u k n uspace kspace nspace u k n

2 An IST Projecthttp://www.ist-lobster.org/ 2 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Outline 1.What is FFPF? 2.How does it work? 3.How can I use it? hardware support applications examples

3 An IST Projecthttp://www.ist-lobster.org/ 3 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Network Monitoring Increasingly important –traffic characterisation, security traffic engineering, SLAs, billing, etc. Existing solutions: –designed for slow networks or traffic engineering/QoS –not very flexible spread of SAPPHIRE in 30 minutes

4 An IST Projecthttp://www.ist-lobster.org/ 4 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Network Monitoring We’re hurting because of –hardware (bus, memory) –software (copies, context switches) - process at lowest possible level -minimise copying -minimise context switching - freedom at the bottom  demand for solution: - scales to high link rates - scales in no. of apps - flexible

5 An IST Projecthttp://www.ist-lobster.org/ 5 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb What is it? single framework for monitoring that –uses all levels in the processing hierarchy –is language neutral –offers advanced processing in NIC –supports stateless and stateful filters –is backward compatible with pcap (while also supporting a much more powerful packet language) –helps users to build complex monitoring applications by ‘clicking components together’ U TCP UDP IP “contains worm” HTTP RTP bytecount RTSP

6 An IST Projecthttp://www.ist-lobster.org/ 6 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Application B reduce copying FFPF avoids both ‘horizontal’ and ‘vertical’ copies Application A U K ‘filter’ - no ‘vertical’ copies - no ‘horizontal’ copies within flow group - more than ‘just filtering’ in kernel (e.g.,statistics)

7 An IST Projecthttp://www.ist-lobster.org/ 7 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Buffers O O O O O OO W R PacketBuf –circular buffer with N slots –large enough to hold packet IndexBuf –circular buffer with N slots –pointers to packets in PacketBuf

8 An IST Projecthttp://www.ist-lobster.org/ 8 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Buffers PacketBuf –circular buffer with N slots –large enough to hold packet IndexBuf –circular buffer with N slots –pointers to packets in PacketBuf O O O O O OO W R

9 An IST Projecthttp://www.ist-lobster.org/ 9 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Buffers PacketBuf –circular buffer with N slots –large enough to hold packet IndexBuf –circular buffer with N slots –pointers to packets in PacketBuf X X X X X OO W R

10 An IST Projecthttp://www.ist-lobster.org/ 10 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Buffer management  what to do if writer catches up with slowest reader? slow reader preference –drop new packets (traditional way of dealing with this) –overall speed set by slowest reader fast reader preference –overwrite existing packets –application responsible for keeping up check whether packets have been overwritten different drop rates for different apps O R1 O O O O O O O W O O O O O O O O R2

11 An IST Projecthttp://www.ist-lobster.org/ 11 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb How to use it? we build complex applications out of simple components

12 An IST Projecthttp://www.ist-lobster.org/ 12 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb applications userspace kernelspace ixp2xxx FFPF host- NIC boundary userspace-kernel boundary MAPI libpcap FFPF toolkit FFPF Software structure

13 An IST Projecthttp://www.ist-lobster.org/ 13 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb [(device,expr=eth0) | (device,expr=eth1)] > (sampler,expr=2) > [(FPL-2,expr=”..”) | (BPF,expr=”..”)] > (bytecount) (device,expr=eth0) > (sampler, expr=2) > (BPF,expr=”..”) > (packetcount) Extensible ✔ modular framework ✔ language agnostic ✔ plug-in filters

14 An IST Projecthttp://www.ist-lobster.org/ 14 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Example: GUI for creating flowgraphs

15 An IST Projecthttp://www.ist-lobster.org/ 15 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb simple GUI support

16 An IST Projecthttp://www.ist-lobster.org/ 16 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb simple GUI support

17 An IST Projecthttp://www.ist-lobster.org/ 17 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb simple GUI support

18 An IST Projecthttp://www.ist-lobster.org/ 18 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb mapping on hardware FFPF is responsible for mapping the flowgraph on the underlying hardware

19 An IST Projecthttp://www.ist-lobster.org/ 19 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb 19 Instantiating flow graphs KERNEL USERSPACE functions not available in kernel

20 An IST Projecthttp://www.ist-lobster.org/ 20 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb 20 Instantiating flow graphs KERNEL USERSPACE functions available in kernel

21 An IST Projecthttp://www.ist-lobster.org/ 21 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Three flavours 21 Three flavours of packet processing on IXP & host Regular -copy only when needed -may be slow depending on access pattern Zero copy -never copy -may be slow depending on access pattern Copy once -copy always

22 An IST Projecthttp://www.ist-lobster.org/ 22 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Example 1: writing applications 1.int main(int argc, char** argv) { 2. void *opaque_handle; 3.int count, returnval; 4./** pass the string to the subsystem. It initializes and returns an opaque pointer */ 5.opaque_handle = ffpf_open(argv[1], strlen(argv[1])); 6.if (start_listener(asynchronous_listener, NULL)) 7. { 8. printf (WARNING,“spawn failed\n"); 9. ffpf_close (opaque_handle); return -1; 10.} 11.count = ffpf_process(FFPF_PROCESS_FOREVER); 12.stop_listener(1); 13.returnval = ffpf_close(opaque_handle); 14.printf(,"processed %d packets\n",count); 15.return returnval; 16.}

23 An IST Projecthttp://www.ist-lobster.org/ 23 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Example 1: writing applications 1.void* asynchronous_listener(void* arg) { 2.int i; 3.while (!should_stop()) { 4.sleep(5); 5.for (i=0;i<export_len;i++) { 6. printf("flowgrabber %d: read %d, written%d\n", i, get_stats_read(exported[i]), get_stats_processed(exported[i])); 7. while ((pkt = get_packet_next(exported[i]))) { 8. dump_pkt (pkt); 9.} 10.} 11. } 12.return NULL; 13.}

24 An IST Projecthttp://www.ist-lobster.org/ 24 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Example 2: FPL-2 new pkt processing language: FPL-2 for IXP, kernel and userspace simple, efficient and flexible simple example: filter all webtraffic IF ( (PKT.IP_PROTO == PROTO_TCP) && (PKT.TCP_PORT == 80)) THEN RETURN 1; more complex example: count pkts in all TCP flows IF (PKT.IP_PROTO == PROTO_TCP) THEN R[0] = Hash[ 14, 12, 1024]; M[ R[0] ]++; FI

25 An IST Projecthttp://www.ist-lobster.org/ 25 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb FPL-2 all common arithmetic and bitwise operations all common logical ops all common integer types –for packet –for buffer (  useful for keeping state!) statements –Hash –External functions to call hardware implementations to call fast C implementations –If … then … else –For … break; … Rof –Return

26 An IST Projecthttp://www.ist-lobster.org/ 26 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Example application: dynamic ports 1. // R[0] stores no. of dynports found (initially 0) 2. IF (PKT.IP_PROTO==PROTO_TCP) THEN 3. IF (PKT.TCP_DPORT==554) THEN 4. M[R[0]]=EXTERN("GetDynTCPDPortFromRTSP",0,0); 5. R[0]++; 6. ELSE // compare pkt’s dst port to all ports in array – if match, return pkt 7. FOR (R[1]=0; R[1] < R[0]; R[1]++) 8. IF (PKT.TCP_DPORT == M[ R[1] ] ) THEN 9. RETURN TRUE; 10. FI 11. ROF 11. FI 12. FI 12. RETURN FALSE;

27 An IST Projecthttp://www.ist-lobster.org/ 27 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Summary concept of ‘flow’  generalised copying and context switching  minimised processing in kernel/NIC  complex apps + ‘pipes’ FPL: FFPF Packet Languages  fast + flexible persistent storage  flow-specific state flow groups  applications sharing packet buffers commandline/GUIs  easy to use

28 An IST Projecthttp://www.ist-lobster.org/ 28 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb More Information http://ffpf.sourceforge.net/

29 An IST Projecthttp://www.ist-lobster.org/ 29 Herbert Bos, VU, http://ww.cs.vu.nl/~herbertb Pkt processing on IXP 29

Download ppt "An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, FFPF: Fairly Fast Packet Filters Herbert Bos Vrije Universiteit."

Similar presentations

Pointers.

Pointers.
Lectures 10 & 11.

Lectures 10 & 11.
Datalink Access.

Datalink Access.
Programming Languages and Paradigms The C Programming Language.

Programming Languages and Paradigms The C Programming Language.
1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.

1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.
Lecture 20 Arrays and Strings

Lecture 20 Arrays and Strings
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
Internetworking Pertemuan 07 Matakuliah: H0484/Jaringan Komputer Tahun: 2007.

Internetworking Pertemuan 07 Matakuliah: H0484/Jaringan Komputer Tahun: 2007.
An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.

An IST Projecthttp:// 1 Herbert Bos, VU, The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.
6/10/2015C++ for Java Programmers1 Pointers and References Timothy Budd.

6/10/2015C++ for Java Programmers1 Pointers and References Timothy Budd.
Silberschatz, Galvin and Gagne  2002 13.1 Operating System Concepts Chapter 13: I/O Systems I/O Hardware Application I/O Interface Kernel I/O Subsystem.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 13: I/O Systems I/O Hardware Application I/O Interface Kernel I/O Subsystem.
I/O Hardware n Incredible variety of I/O devices n Common concepts: – Port – connection point to the computer – Bus (daisy chain or shared direct access)

I/O Hardware n Incredible variety of I/O devices n Common concepts: – Port – connection point to the computer – Bus (daisy chain or shared direct access)
FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.

FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.
Computer System Overview

Computer System Overview
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
OS support for (flexible) high-speed networking Herbert Bos Vrije Universiteit Amsterdam uspace kspace nspace u k n monitoring intrusion detection packet.

OS support for (flexible) high-speed networking Herbert Bos Vrije Universiteit Amsterdam uspace kspace nspace u k n monitoring intrusion detection packet.
FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.

FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface

Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May

Similar presentations

Ads by Google