A Visit From The Packet Company – Deep Dive into PacketRAID Technology
The Task at Hand
Jay & Liam have been tasked to build two systems to support the Packet Company’s software. They will take on the responsibility of building one of these two systems:
- Packet Recorder
- Packet Player
Both apprentices were briefed and only given a capture card to start with. A capture card, also known as a DAG (Data Acquisition and Generation) card is what it says on the tin. A DAG card provides a company with the ability to capture the traffic from their network for purposes such as security, troubleshooting and so on. DAG cards guarantee 100% packet capture on any network regardless of packet size, interface type, or network load. This project will help our apprentices demonstrate & develop key skills such as design, procurement, build & commissioning of devices. All these areas require an array of interaction and communication from outside and inside the company, as well as evaluation and decision-making skills.
To start, Jay & Liam were required to go and research building their server, for the Packet Company software to be built upon. The initial work was to research an appropriate chassis that could be portable, and all the internal components required. They then had to draft a document outlining the specifications and requirements of their device. From here, they had to present their research to other members of the Infrastar team in which a collective analysis was undertaken to ensure all the required components were covered, ready for the build.
Visit from Dr Andrew Thomson
Dr Andrew Thomson, the founder of The Packet Company and creator of the cutting edge PacketRAID technology, kindly took time to come and visit our apprentices to talk about the project that they are undertaking. Firstly, however, it is beneficial to provide some background and insight into The Packet Company and Dr Thomson. With over 20 years’ experience in designing complex systems, and with most of the previous decade spent working in network monitoring and traffic analysis, Dr Thomson had become frustrated with both the cost and level of functionality available in many commercial tools, and so, decided to develop his own. This resulted in the creation of PacketRAID.
PacketRAID is the all-in-one network recorder that can provide recording, playback and analysis capabilities in both portable and fixed server platform configurations. PacketRAID also comes in two variants: a ruggedised portable unit and a rack mounted version. The PacketRAID products are high speed multi-format data recorders which have been purposely designed for use in network security applications and test labs. They offer a single-platform solution to a wide range of test and monitoring requirements, combining ease of use with excellent performance and reliability. If you would like to find out more, visit The Packet Company website.
So, this is what our apprentices would be attempting to create (albeit not to the same high specification and performance of The Packet Company’s devices!). It was also agreed that Jay and Liam should attempt to build their machines as portable as possible, as Infrastar want to demonstrate their creations and utilise them for sessions with CyberFirst.
As aforementioned, Dr Thomson kindly took time out of his schedule to sit down and discuss with Jay and Liam about their project. Additionally, Dr Thomson also came equipped with one of his very own portable PacketRAID devices, which our apprentices were unaware of, but presently surprised with! To have such a personal one-to-one demonstration with the creator of such a high specification and cutting-edge technology was an invaluable opportunity!
Dr Thomson started off by allowing one of our apprentices to open the chassis of the portable PacketRAID system. He then went on to explain the internal components to his portable PacketRAID system, providing explanations on the chosen hardware.
After going through the internal components with our apprentices, Dr Thomson proceeded to demonstrate the capabilities and functionality of the PacketRAID system.
At the penultimate part of the session, Dr Thomson uploaded a PCAP file to the PacketRAID system, taken from a Network Forensics session that one of the Infrastar team had previously undertaken. The PCAP was played back at of 1Gb/s and analysed. As can be seen from the picture below, the PCAP held information displaying an attack on a server.
To finish the session off, Dr Thomson held a Q&A with our apprentices, which was tremendously insightful and very valuable. A transcript of a few of the questions put to Dr Thomson by our apprentices are below. The full Q&A will be available as a video soon!
Q (Liam): How much storage would you recommend for our recorders?
A: So, for your recorders, I would recommend somewhere around 256GB, perhaps up to 1TB would be fine, that is going to capture loads of traffic. If you’re recording your office network (Infrastar Office), you’re going to be using a few gigabytes a day, unless people are streaming a lot of video or doing a lot of downloads. But for normal office work, it won’t be huge amounts, you might be using around 100GB a month. So, if you put double that on your recorders, then that will be fine.
Q (Liam): Is that the same for replayers?
A: You can use more for replayers, as you may want a library of different recordings. And then if you are using them in a lab testing environment, you might want 1TB/2TB of storage or even more.
Q (Jay): Have you ever overclocked your machines? To try and get extra performance out of them.
A: No not on these, I have on PCs at home! But no, not on our products. We actually go the opposite way; we are very cautious on the technology front so we try to over spec everything so the machines are not pushing any limits if we can avoid it.
Q (Jay): Have you ever thought about using GPUs for processing power, rather than the CPUs?
A: Yes actually, we have looked at GPUs and also the add-on CPUs like the Xeon Phi which is like a whole collection of additional CPU cores. The challenge we have got is that on the recorders we build, which is generally designed for high performance, so 40Gbs or 100Gbs, it’s not processing power that’s the challenge, its memory bandwidth and just moving those huge amounts of data around between the card, CPU, memory and then out to storage. So, I think there is a place for GPUs and the Xeon 5, but it is probably not for inside the type of systems we are building. Its more for in process intensive workloads.
Q (Jay): What is the highest spec build you do and what kind of performance would do you reach?
A: That’s a really good question! Actually, we are currently building a 100Gb/s recorder at the moment. So that will do 100Gb/s for ethernet packet capture and it actually goes a bit faster, it will capture telecoms format that is called OTU-4 at 112Gb/s! We have actually got that working in the lab at the moment and we will hopefully be launching that very soon as it is pretty close to being ready now. That’s where we are and as far as we are aware, that is the fastest recorder you’ll be able to get at 112Gb/s. We haven’t seen anything that goes faster than that. We think it’s quite hard work, we think we are pushing the envelope there with that performance!
To finish, Dr Thomson reiterated his excitement about the project saying “the project you are doing is fantastic. Building and spec’ing your own servers and then building your recorders is really exciting to see how that takes shape. Also, building a network and capturing traffic off it, I think, is a really, really good thing to do! And I’m looking forward to being involved in that and really pleased!”.