Hardware nanosecond-precision timestamping for line-rate packet capture

IF 1.3 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS IET Networks Pub Date : 2024-01-19 DOI:10.1049/ntw2.12114

Xiaoying Huang

{"title":"Hardware nanosecond-precision timestamping for line-rate packet capture","authors":"Xiaoying Huang","doi":"10.1049/ntw2.12114","DOIUrl":null,"url":null,"abstract":"<p>Cybersecurity events occur frequently. When it comes to investigating security threats, it is essential to offer a 100 percent accurate and packet-level network history, which depends on packet capture with high precision packet timestamping. Many packet capture applications are developed based on data plane development kit (DPDK)—a set of libraries and drivers for fast packet processing. However, DPDK cannot give an accurate timestamp for every packet, and it is unable to truly reflect the order in which packets arrive at the network interface card. In addition, DPDK-based applications cannot achieve zero packet loss when the packet is small such as 64 B for beyond 10 Gigabit Ethernet. Therefore, the authors proposed a new method based on Field-Programmable Gate Array (FPGA) to solve this problem. The authors also develop a DPDK driver for FPGA devices to make the design compatible with all DPDK-based applications. The proposed method performs timestamping at line-rate for 10 Gigabit Ethernet traffic at 4 ns precision and 1 ns precision for 25 Gigabit, which greatly improves the accuracy of security incident retrospective analysis. Furthermore, the design can capture full-size packets for any protocol with zero packet loss and can be applied to 40/100 Gigabit systems as well.</p>","PeriodicalId":46240,"journal":{"name":"IET Networks","volume":null,"pages":null},"PeriodicalIF":1.3000,"publicationDate":"2024-01-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1049/ntw2.12114","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Networks","FirstCategoryId":"1085","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1049/ntw2.12114","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Cybersecurity events occur frequently. When it comes to investigating security threats, it is essential to offer a 100 percent accurate and packet-level network history, which depends on packet capture with high precision packet timestamping. Many packet capture applications are developed based on data plane development kit (DPDK)—a set of libraries and drivers for fast packet processing. However, DPDK cannot give an accurate timestamp for every packet, and it is unable to truly reflect the order in which packets arrive at the network interface card. In addition, DPDK-based applications cannot achieve zero packet loss when the packet is small such as 64 B for beyond 10 Gigabit Ethernet. Therefore, the authors proposed a new method based on Field-Programmable Gate Array (FPGA) to solve this problem. The authors also develop a DPDK driver for FPGA devices to make the design compatible with all DPDK-based applications. The proposed method performs timestamping at line-rate for 10 Gigabit Ethernet traffic at 4 ns precision and 1 ns precision for 25 Gigabit, which greatly improves the accuracy of security incident retrospective analysis. Furthermore, the design can capture full-size packets for any protocol with zero packet loss and can be applied to 40/100 Gigabit systems as well.

Abstract Image

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

用于线速数据包捕获的纳秒级精度硬件时间戳

网络安全事件频繁发生。在调查安全威胁时，必须提供 100% 准确的数据包级网络历史记录，而这取决于具有高精度数据包时间戳的数据包捕获。许多数据包捕获应用都是基于数据平面开发套件（DPDK）开发的，这是一套用于快速数据包处理的库和驱动程序。然而，DPDK 无法为每个数据包提供准确的时间戳，也无法真实反映数据包到达网络接口卡的顺序。此外，当数据包较小时，如超过万兆以太网的 64 B 数据包，基于 DPDK 的应用程序无法实现零数据包丢失。因此，作者提出了一种基于现场可编程门阵列（FPGA）的新方法来解决这个问题。作者还为 FPGA 设备开发了 DPDK 驱动程序，使设计与所有基于 DPDK 的应用兼容。所提出的方法以线速对万兆以太网流量执行时间戳，精度为 4 ns，对 25 千兆以太网流量执行时间戳，精度为 1 ns，大大提高了安全事件回顾分析的准确性。此外，该设计可捕获任何协议的全尺寸数据包，且数据包丢失为零，还可应用于 40/100 千兆位系统。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IET Networks COMPUTER SCIENCE, INFORMATION SYSTEMS-

CiteScore

5.00

自引率

0.00%

发文量

审稿时长

33 weeks

期刊介绍： IET Networks covers the fundamental developments and advancing methodologies to achieve higher performance, optimized and dependable future networks. IET Networks is particularly interested in new ideas and superior solutions to the known and arising technological development bottlenecks at all levels of networking such as topologies, protocols, routing, relaying and resource-allocation for more efficient and more reliable provision of network services. Topics include, but are not limited to: Network Architecture, Design and Planning, Network Protocol, Software, Analysis, Simulation and Experiment, Network Technologies, Applications and Services, Network Security, Operation and Management.