OC12mon
Integrating Packet Filtering with Coral OC12mon Monitors
Most traffic is "uninteresting" (>99.9%), but what is, want to
- collect more (full frames),
- keep more.
Coral monitors designed (mainly) for promiscuous, partial-frame capture,
not selective, full-frame capture.
Contention for bus and SAR are main bottlenecks for
persistant, full-frame capture. Must optimize on-card,
hardware-based filtering and on-host software-based SAR and
filtering.
- Implement subset of the BSD Packet Filter (BPF) language
in NIC FPGA firmware to maximize on-card filtering,
- e.g. notch out port 80 and 8080 flows.
- Optimize on-host SAR and frame processing.
- zero-copy reassembly;
- compiled BPF filters.
- Implement on-host dynamic filtering (BPF-based) to further reduce
data and output to disk.
