The NetWitness Platform Decoder supports capturing packets through the Data Plane Development Kit, also known as DPDK. DPDK is a set of libraries and drivers that support applications that work on directly on packets. DPDK's web site, www.dpdk.org, provides more information.
The Decoder can use the DPDK to ingest packets from Ethernet interfaces. It is an alternative to existing packet capture options built into the Decoder. DPDK offers these advantages:
- It is entirely open source, with no binary-only driver components, unlike PF_RING.
- It is directly supported by multiple vendors, including our main vendor, Intel.
- Since the kernel-level interface is in the mainline Linux kernel, there are no separate driver packages to compile and distribute.
- DPDK devices are completely separate from the Linux network stack, which avoids unintentional interaction between Linux networking and packet capture.
- DPDK is capable of capturing at greater than 10G, unlike the packet_mmap.
How it Works
DPDK completely detaches the Ethernet interface from the Linux kernel. It does this by doing the following:
- It uses a Linux User I/O driver mechanism to expose the raw PCI-Express device to normal Linux programs. This means that it can take the raw memory space mapped to the PCI device and expose it, so that a normal Linux program can directly manipulate the hardware. There are a couple of drivers built into the Linux mainline kernel that can accomplish this. Decoder is designed to use vfio_pci_generic.
- The DPDK provides its own user-space implementation of the hardware drivers for a wide variety of Ethernet cards. When a DPDK application like Decoder is loaded, it can attach directly to the PCI device and manipulate it using DPDK-specific library functions. When a device is attached to DPDK, the Decoder can see it and automatically sets the device up with the DPDK Capture Device option.
Migrate PF_RING Devices to DPDK
For configurations using multiple adapter packet capture (available in 11.5 and later), you must use the manual procedure outlined in Manually Move a Capture Interface to DPDK . For example, the migration (dpdk migrate) does not support a Decoder when capture is configured with: capture.interface=PFRINGZC,em3; PFRINGZC,em4;packet_mmap,em2.
For configurations prior to 11.5, the procedure that uses the devices parameter to capture from multiple PF_RING-supported interfaces (for example, ixgbe and i40e) will be converted to using DPDK, along with the multiple adapter packet capture, so that one capture thread is used per interface.
For example, the migration will work if configured as follows:
- For multi-interface capture: capture.interface=PFRINGZC,em3 along with capture.device.params=device=zc:em3,zc:em4
- For single interface capture: capture.interface=PFRINGZC,em3
If you are using PF_RING to capture packets on your Decoder, you can use the Decoder's dpdk migrate command to migrate your existing PF_RING capture devices to DPDK. This command uses your currently-selected capture device configuration to determine which network interfaces are moved to DPDK control.
- Go to (Admin) > Services and select a Decoder.
- Click > View > Explore, right-click decoder and select Properties.
- From the command drop-down list, select the dpdk command, type the parameter migrate, and click Send.
- In the command output window, the changes that will be made on the Decoder to perform the migration are displayed. If everything looks correct for the migration, add the parameter commit=1 to the command after migrate to actually make the changes on the Decoder.
- At the reboot prompt, reboot the host to make the driver loading changes.
- Run the new host service command /appliance/nicToDp, that converts a named network interface and sends it to DPDK.
For example, if you provide nicToDp an interface name like p1p1 it detaches it and sets it up for DPDK to use. It does the following:
- Identifies the PCI address of the named interface.
- Creates configuration files that describe which PCI addresses DPDK is allowed to use.
- Sets up a systemd unit that binds the configured PCI addresses to DPDK instead of to the default Linux drivers on the next system reboot.
- Reboot the Decoder host. The reboot accomplishes the following:
- Ensures that live capture on the interfaces stops before the network driver is unloaded.
- Binds the vfio_pci_generic driver to the configured interfaces.
- Pre-allocates some Huge Page memory for each interface, as required by the DPDK libraries.
- After the reboot, the Decoder does not start capturing, since the network interface it had been using to capture has been moved to DPDK. Change the Decoder's capture configuration to select the DPDK device that is now available. For information about how to change the capture configuration, see Configure Capture Settings.
- Restart the service.