Dropless, kernel bypass tcpdump on ExaNICs
tcpdump [0] has been known for a nifty tool for packet capture. However, current speeds of 10Gbps and beyond suffer from networking going through the kernel and packet drops will occur.
Using the shared objects approach a libpcap.so tailored for ExaNICs is provided which can be easily injected into the dynamic linking process when starting up tcpdump. (ldd will tell you all about your shared objects).
Our libpcap provides support for the latest (at the time of writing) libpcap version: version 1.11.0 [1]
ls -al libpcap.so.1
lrwxrwxrwx. 1 fischer fischer 17 May 2 12:59 libpcap.so.1 -> libpcap.so.1.11.0[fischer@centos7 $ LD_LIBRARY_PATH=. ldd /usr/sbin/tcpdump
linux-vdso.so.1 => (0x00007ffca27aa000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f5327968000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f5327505000)
libpcap.so.1 => ./libpcap.so.1 (0x00007f53272b7000)
libc.so.6 => /lib64/libc.so.6 (0x00007f5326ee9000)
/lib64/ld-linux-x86-64.so.2 (0x00007f5327b6e000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f5326ce5000)
libz.so.1 => /lib64/libz.so.1 (0x00007f5326acf000)
libnl-genl-3.so.200 => /lib64/libnl-genl-3.so.200 (0x00007f53268c9000)
libnl-3.so.200 => /lib64/libnl-3.so.200 (0x00007f53266a8000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f532648c000)
libm.so.6 => /lib64/libm.so.6 (0x00007f532618a000)
Using an environment flag such as TCPDUMP_DEBUG we can make sure that the plugin loaded successfully and ExaNIC support is available.
[fischer@centos7 $ sudo TCPDUMP_DEBUG=1 LD_LIBRARY_PATH=. /usr/sbin/tcpdump -i enp4s0
exa_create: Found 2 ExaNIC ports total
1) enp4s0 IP 10.0.0.1 Netmask 255.255.255.0 [10Gbps] [LINKUP]
2) enp4s0d1 IP 10.0.1.1 Netmask 255.255.255.0 [10Gbps] [LINKUP]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:01:12.788053 ARP, Request who-has 10.0.1.2 tell centos7, length 28
07:01:13.791121 ARP, Request who-has 10.0.1.2 tell centos7, length 28
07:01:14.792963 ARP, Request who-has 10.0.1.2 tell centos7, length 28
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
Happy captures !
References:
[0] tcpdump, https://www.tcpdump.org/
[1] NEIO Systems, http:/www.fastsockets.com