Packet Capture (PCAP)

n2disk™ (Smart & Continuous)

High-Speed Network Traffic Recorder with Lossless Packet Capture

n2disk captures full-sized network packets at multi-Gigabit speeds (up to 100-Gbps solutions), ensuring lossless packet capture directly from a live network interface. n2disk uses the industry standard PCAP file format to dump packets into files so the resulting output can be easily integrated with existing third party workflows (Splunk, Elastic SIEMs) or even open/source analysis tools (e.g. Wireshark, etc).

More Than a Simple Packet-to-Disk Application

  • High Speed Packet Capture

    Line-rate recording of 64-byte packets at maximum efficiency.

    Supports Intel 1/10/40Gbps NICs (Intel, Myricom) and FPGA-accelerated NICs (Accolade Technology, Napatech, Silicom/Fiberblaze).

  • Advanced Filtering

    BPF Filters (same format as tcpdump) to exclude unwanted packets before they are written.

    Optimized BPF-like Filters, offering a faster alternative to standard Bg

  • Optimized For Performance

    Designed for multi-core architectures, using at least two threads (one for packet capture, one for disk writing).

    Supports multi-threaded packet capture, with optimized communication between threads for maximum efficiency.

  • Accelerated PCAP & Storage

    Utilizes PF_RING and PF_RING ZC for capture acceleration.

    Direct-IO Disk Access maximizes disk-write throughput for high-speed storage.

  • Real-Time Indexing

    Creates on-the-fly indexes during capture for fast packet retrieval using BPF-like syntax.

    Generates a timeline index, keeping all captured traffic in chronological order for quick searches across large datasets.

  • Fully Configurable

    Custom settings to fit your network recording needs.

    Supports both regular PCAP and nanosecond precision PCAP formats for compatibility with third-party tools.

Real-Time Indexing

n2disk is able to produce an index on-the-fly during packet capture. The index can be queried using a BPF-like syntax to quickly retrieve interesting packets in a specified time interval. Besides the per-dump-file index, n2disk can also produce a timeline, a way of keeping the whole captured traffic in chronological order. Using the utilities provided with n2disk, it is possible to query the timeline for specific packets belonging to the whole dump set in a given time interval.

PCAP and Index Compression

n2disk can optionally compress on-the-fly both PCAP files and index, optimizing I/O throughput and disk space.

Performance

Low Performance

Packet Size (Bytes) n2disk Sustained Throughput with no packet loss at 10 Gbit
Fixed 64 Wire Rate
Fixed 128
Fixed 512
Random 64-1500

System Configuration

  • OS: Ubuntu 16.04
  • CPU: Intel(R) Xeon(R) E5-1660 v3 @ 3.0GHz
  • Motherboard: Supermicro
  • Memory: 32 GB
  • Card: Intel PCIe X520 10 Gigabit
  • Disks: 8x 1TB 10K RPM SATA
  • Commands used:
    n2disk -i zc:eth1 -o /storage/ -p 1024 -b 4096 -q 1 -C 4096 -S 0 -c 1 -w 2

High Performance

Traffic Type Compression Rate Throughput
Synthetic (64 bytes) 95% Wire Rate
High-Frequency Trading 82%
Internet/GTP 6-10%

System Configuration

With indexing and PCAP compression enabled:

  • OS: Ubuntu 16.04
  • CPU: Intel(R) Xeon(R) E5-1660 v3 @ 3.0GHz
  • Motherboard: Supermicro
  • Memory: 32 GB
  • Card: Intel PCIe X520 10 Gigabit
  • Disks: 8x 1TB 10K RPM SATA
  • Commands used:
    n2disk -i zc:eth1 -o /storage/ -b 4096 -C 4096 -p 1024 -g -s 1518 -M -l -A /storage/timeline/ -Z -S 0 -c 1 -z 2,3 -w 4 -m 100 -n 50 -H

License

Licensee’s use of this software is conditioned upon acceptance of the terms specified by ntop.

Operating Systems

Linux

n2disk Options

n2disk™ is available in three flavours. You can test it as binary package or get a permanent license. All Linux versions support Intel, Silicom, and Napatech NICs.
n2disk 10/40/100 Gbit also unlocks PF_RING FT for L7 filtering (no additional license required).

NOTE

Test reports have been measured on Linux in the worst-case conditions (64 byte packets)

  • Dump speed depends on your disk setup and server being used.

  • You can use n2disk™ as software application or embedded on the nBox recorder.

  • Research and no-profict can have n2disk™ at no cost. Please contact us for details.

  • Max Dump Speed

    1 Gigabit

    L7 Filtering

    Supported (requires FT)

    Linux

    Naive PF_RING Support

    Unix/OSX

    Basic libpcap-based packet capture. Available upon request.

  • Max Dump Speed

    5 Gigabit

    L7 Filtering

    Supported (requires FT)

    Linux

    Enhanced PF_RING support (i.e. full packet acceleration).

    Unix/OSX

    Basic libpcap-based packet capture. Available upon request.

  • Max Dump Speed

    10/40/100 Gigabit

    L7 Filtering

    Supported (FT included)

    Linux

    Multi-threaded zero-copy packet capture.

    Unix/OSX

    Not available.