1. Vladimír Smotlacha CESNET High-speed Programmable Monitoring Adapter

2. Standard network monitoring Methods of L3 monitoring: Real time processing - data capturing, immediate processing, results storing Offline processing - raw data storing, postprocessing Limited scalability: throughput of local bus - flow at 10 Gb/s exceeds throughput of PCI-X 64/133 CPU performance x network speed disk systems - data amount - write speed

3. Advanced network monitoring Functions of intelligent monitoring adapter: timestamps - essential for specific applications (QoS measurement) packet classification - elimination of background traffic - different processing of particular data flows on-board processing - decreasing of CPU load, reduction of stored data support of applications - specialized blocks for specified applications

4. Hardware platforms Commodity NIC - no on-board processing - inaccurate timestamping DAG cards (Endace) - DAG 4.1 - 1Gb Ethernet, no on-board processing - DAG 6.x - 10 Gb Ethernet, on-board filtering SCAMPI adapter - 10 Gb Ethernet - filtering and advanced data processing

5. Monitoring adapter developed in scope of project SCAMPI (5th Framework IST project) Based on universal COMBO6 card (designed by Cesnet and Masaryk University) Components of SCAMPI adapter: COMBO6 card - VirtexII FPGA - CAM, RAM module Daughter card with link modules (1Gb and 10 Gb Ethernet) Timestamp unit SCAMPI adapter

6. COMBO6 board

7. Monitoring applications Packet capture - basic application, capturing of selected subset of data flow Flow statistics Threshold alerting for traffic engineering QoS monitoring Security applications - DoS detection

8. Structure of adapter

9. Timestamp unit timestamp format - 64 bit fixed point - 32 number of seconds (since 1.1.1970) - 32 fraction of second (precision about 230 ps) 100 MHz clock (oscillator 10 MHz, multiplied by 10) - TCXO - temperature compensated - resolution 10 ns - 64 bytes at rate 10Gb/s ~ 50 ns controlled by PPS input (e.g. GPS receiver) - accuracy (with PPS) ~ 1 us - accuracy (with NTP) ~ 50 us - accuracy of calibrated oscillator without PPS ~ aging of quartz

10. VHDL blocks HFE (header field extractor) - extracts data from TCP/UDP and IP headers - unified header structure assembling LUP (look-up processor) - CAM matching (width 272 bits) - evaluation of conditions - programmable engine for processing of unified header fields (32 bits comparison) - result of classification - 32-bit word SAU (sampling unit) - deterministic sampling - each n-th packet is passing through - probabilistic sampling - packet is passing with probability 1/n

11. VHDL blocks (cont.) PCK (payload checker) - checks payload for defined patterns (16 bytes) - patterns aggregated into groups STU (statistic unit) - packets lengths statistic: number of packets, total length, sum of squares of lengths, min/max value - statistics of intervals between packets: number of packets, total time, sum of squares of intervals, min/max value computed statistics - length: average data rate, average length of packets, variation of packets lengths - time: total time of data flow, average inter-packet interval, variation of inter-packet interval

12. Conclusion Specialized adapter installed in standard workstation allows monitoring for speeds 10 Gb/s and more Programmable hardware (FPGA) is suitable platform for support of monitoring applications