tech-kern: non-standard way to capture network traffic

Subject: non-standard way to capture network traffic
To: None <tech-kern@netbsd.org>
From: Zeljko Vrba <zvrba@globalnet.hr>
List: tech-kern
Date: 09/24/2005 10:01:45
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig883F31C00346690B02AC812E
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

But in a little non-standard way.

I have a dual-proc machine with two broadcom gigabit ethernet cards. One
card (bge0) I want to use for 'regular' network processing, and the
other (bge1) for recording another stream of traffic.

To explain in details:

1. I expect to receive incoming almost full 1Gbit of traffic on bge1. I
will not be doing any outgoing traffic.

2. I don't need any network stack processing. After the ethernet frame
is received, I want to record the following data only:
  - arrival time, as precise as possible (read local APIC?)
  - full TCP/UDP/IP header (I can parse eth frame myself, if neccessary)
  - the data load I will discard

3. The collected data needs to be written to disk. As few as possible
frames should be lost.

This is for an experiment. While the experiment is ongoing, I don't need
the machine to be usable for other tasks. i.e. if everything else stops
due to high load - I don't care :)

I was thinking to use raw disk partition to write fixed-length records
of binary data, to avoid any filesystem overhead. At 1GBit/sec traffic,
and around ~128 bytes are only IP headers. 1Gbit/sec ~ 100 MB/sec. My
disks can't sustain that high throughput. however, I expect that the
incoming packets will have some data load which I discard, so I hope to
be able to capture all traffic.

However, what is the best way to accomplish point 2? Can it be done fast
enough by diverting packets to userland or should I write some kind of
kernel module and do it all in-kernel? Where to begin?

Thanks for your answers.

--------------enig883F31C00346690B02AC812E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDNQfvUIHQih3H6ZQRAoGtAJ4oWuCaUDl+99oSmHjzIdMues2h4wCg211N
s1M4iU5PefYVqgLxJ7Pmi40=
=lsOW
-----END PGP SIGNATURE-----

--------------enig883F31C00346690B02AC812E--