OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Gigabit IDS solutions
From: Elliot Turner (eturnerINTRUSION.COM)
Date: Wed Nov 15 2000 - 15:34:19 CST

Robert,

Most conventional packet capture mechanisms (SOCK_PACKET, PF_PACKET, BPF)
utilize a dual-copy
capture facility. This involves copying the packet into some sort of
capture buffer, and then
copying it to a user-space application.

TurboPacket maps a user-space memory buffer into kernel space. The packet
data is DMAed from the card into a skbuff, and then copied into the
TurboPacket ring buffer. This buffer is directly accessable to the
user-space application, eliminating any extra copies.

Most conventional capture mechanisms copy data into a capture buffer, then
into a user-space buffer.

One could conceivably argue that conventional capture mechanisms are actual
triple-copy, and the
above described facilities are dual copy (this depends on whether you
consider the DMA transfer
step a conventional "copy"). Dual copy/Single copy seems to be the standard
way of referring to
these mechanisms, however.

It's good to hear that other vendors are trying out DMA packet data
transfer. I've been doing alot
of DMA-related capture/performance testing in my lab recently, and am in the
process of determining
which hardware is best suited for the job.

Hardware becomes more of an issue when doing DMA transfers, as this form of
packet capture is non-portable
and hardware-specific, and thus impacts code design. Performance is also an
obvious issue, as all hardware
is not created equal.

We should probably all agree upon some sort of standard naming convention
for this new form of packet
capture, since it looks like several vendors are implementing it. I don't
personally like "zero copy".
"DMA copy" or "DMA transfer" seems okay, however. Anyone else have any
comments/ideas? A standard naming convention will help reduce confusion
within the community.

Elliot

-----Original Message-----
From: Robert Graham [mailto:robert_david_grahamyahoo.com]
Sent: Wednesday, November 15, 2000 1:29 PM
To: Elliot Turner; FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: Gigabit IDS solutions

Elliot,

When you say that TurboPacket does only a single copy (rather than the
multiple
copies that most operating systems do), what does that mean? A lot of IDSs
are
moving to the technique whereby the adapter DMAs the data directly into
memory
without intervention from the CPU. Is this how TurboPacket works, or does
the
CPU copy the bytes? I know that Theo is writing OpenBSD so that everything
is
DMAed directly to memory; I'm curious as to how TuberPacket compares to
this.

I'm still trying to figure out how to describe the DMA step. Do you call it
"zero-copy" or "one-copy" (or maybe "DMA-copy"?).

=====
Robert Graham
Personal: http://www.robertgraham.com Work: CTO Network ICE

__________________________________________________
Do You Yahoo!?
Yahoo! Calendar - Get organized for the holidays!
http://calendar.yahoo.com/