2 points from our experience in saving pcap files from a dpdk 10G fire hose:

1)
Our capture module provides a small "bit-vector" to the code that handles
the packets.
Since our packet processing code is already finding out basic stuff about
the packet traversing it (is it IPv4? v6?  is it TCP? is it fragmented?
..etc), it sets the relevant bits ON as it goes ,so that the capture module
can later quickly (mask against desired filters) decide if the a packet
needs to be captured.
Point is - when a capture layer exposes a slim API that lets it utilize
info coming from other modules , its easier and less expensive to handle
the fire hose.

2)
In many cases we are interested in capturing complete TCP flows, or at
least the first X packets of them.
In this case, A more expensive filter may be applied only on the SYN packet
and when matches, turns ON a bit on the tcp flow applicative context that
says we want to capture any packet falling under this tuple.
Point is - applicative filters at different costs are applied on different
packet types utilizing the mask from the previous bullet

Such a model should obviously need to be optional on a formal capture layer,
but when dealing with a fire hose - I find it very useful.

/Arnon

-

On Wed, Dec 16, 2015 at 12:45 PM, Bruce Richardson <
bruce.richardson@intel.com> wrote:

On Mon, Dec 14, 2015 at 05:36:13PM -0500, Matthew Hall wrote:

quoted

On Mon, Dec 14, 2015 at 04:29:41PM -0500, Kyle Larose wrote:

quoted

I've seen lots of ideas and options tossed around which would solve
some or all of the above items, but nobody actually committing to
anything. What can we do to actually agree on a solution to go and
implement? I'm relatively new to the community, so I don't really know
how this stuff works. Do people typically form a working group where
they go off and discuss the problem, and then come back to the main
community with a proposal? Or do people just submit RFCs independently
with their own ideas?

Thanks,
Kyle

I am getting the impression of a misplaced sense of urgency / panic. I

don't

quoted

think anybody came up with a reason why we have to answer all these

questions

quoted

tremendously quickly. It will take some more time, particularly with the
holidays, for the developers to finish the last bug fixes on the current
release before they have time to discuss 2.3 features.

When that happens, someone working on DPDK full time will be identified

as the

quoted

leader for the feature, that will lead the effort on PCAP, and help us
formulate the plan. Until then, what we really could use at this point

is not

quoted

necessarily more writings and speculation, but an answer on some key tech
questions, particularly from some kernel guys:

1) How do we get the pcap filter string and/or BPF opcode vector from

libpcap

quoted

/ tcpdump / tshark / wireshark, into the DPDK application? There we can
compile it using the user-space bpfjit, so we can filter the packets at

very

quoted

high speeds and not end up breaking everything doing a ton of stupid

copies

quoted

when somebody does a capture of one flow on his i40e device or such.

libpcap

quoted

is crappy about this, as it sends it all over syscalls which are always
assuming the kernel is on the other end, which is a bad assumption on

their

quoted

part but many decades old and not so easy to fix.

2) How do we get the matched packets back out to the extcap or libpcap?

From

quoted

what I saw extcap is tshark / wireshark only, which are 1) GPL licensed

in

quoted

various ways, 2) not as widely used as libpcap. So using only extcap

might be

quoted

kind of crappy.

3) For libpcap to work, maybe it will help if some of our kernel guys

can help

quoted

us find out how to "detect" the kernel put a BPF capture filter onto a

TUN /

quoted

TAP interface, and copy that filter to the DPDK app. Then, take any

matched

quoted

packets and write them back onto the TUN / TAP. This would also be super
efficient and work with more off-the-shelf tools besides just tshark /
wireshark.

If we don't find the answers for these items I don't think we have a

path to a

quoted

working solution, forgetting about all the nice-to-have points such as UX
issues, troubleshooting, debugging, etc.

Matthew.

Hi,

we are currently doing some investigation and prototyping for this feature.
Our current thinking is the following:
* to allow dynamic control of the filtering, we are thinking of making use
of
  the multi-process infrastructure in DPDK. A secondary process can attach
to a
  primary at runtime and provide the packet filtering and dumping
capability.
* ideally we want to create a generic packet mirroring callback inside the
EAL,
  that can be set up to mirror packets going through Rx/Tx on an ethdev.
* using this, packets being received on the port to be monitored are sent
via
  an rte_ring (ring ethdev) to the secondary process which takes those
packets
  and does any filtering on them. [This would be where BPF could fit into
  things, but it's not something we have looked at yet.]
* initially we plan to have the secondary process then write packets to a
pcap
  file using a pcap PMD, but down the road if we get other PMDs, like a
KNI PMD
  or a TAP device PMD, those could be used as targets instead.

This implementation we hope should provide enough hooks to enable the
standard
tools to be used for monitoring and capturing packets. We will send out
draft
implementation code for various parts of this as soon as we have it.

Additional feedback welcome, as always. :-)

Regards,
/Bruce

-- 

*Arnon Warshavsky*
*Qwilt | work: +972-72-2221634 | mobile: +972-50-8583058 | arnon@qwilt.com
[off-list ref]*