High speed packet capture
First Claim
Patent Images
1. A method for reading data into an application, the method comprising:
- reading a packet of data captured by a network interface coupled to a network interface driver that provides a communicative interface between the network interface and a kernel of a capture system;
storing the packet in a receiver packet memory in a wraparound fashion such that the packet is placed contiguously next to a last new packet received, and wherein the packet and the last new packet are stored as read only data in the receiver packet memory such that multiple applications can access the packets, wherein the network interface and the network interface driver are configured on a kernel side of an operating system provisioned within the capture system, and wherein the applications reside on an application side of the capture system that is different from the kernel side;
updating a head indicator, the head indicator identifying the last new packet in the receiver packet memory; and
representing the receiver packet memory as a virtual file, wherein a first application of the multiple applications is configured to migrate packets from the receiver packet memory by memory mapping the virtual file, the first application employing file system commands and handles to reference and to manipulate selected data in the receiver packet memory such that the virtual file is mapped in a read only mode to allow a second application of the multiple applications to access the selected data in the receiver packet memory, and wherein the capture system includes a control memory that provides a plurality of pointers to the receiver packet memory in order to allow access to the control memory by both the network interface driver and the first and second applications through an application interface.
13 Assignments
0 Petitions
Accused Products
Abstract
Packets can be read from a network interface into an application using a single kernel copy. In one embodiment, the invention includes a receiver packet memory to store captured packets, and a network interface driver operating in a kernel of a device to read packets captured by network interface hardware into the kernel by storing captured packets in the receiver packet memory. Then, an application interface can expose the receiver packet memory to an application executing on the device by representing the receiver packet memory as a virtual file.
-
Citations
18 Claims
-
1. A method for reading data into an application, the method comprising:
-
reading a packet of data captured by a network interface coupled to a network interface driver that provides a communicative interface between the network interface and a kernel of a capture system; storing the packet in a receiver packet memory in a wraparound fashion such that the packet is placed contiguously next to a last new packet received, and wherein the packet and the last new packet are stored as read only data in the receiver packet memory such that multiple applications can access the packets, wherein the network interface and the network interface driver are configured on a kernel side of an operating system provisioned within the capture system, and wherein the applications reside on an application side of the capture system that is different from the kernel side; updating a head indicator, the head indicator identifying the last new packet in the receiver packet memory; and representing the receiver packet memory as a virtual file, wherein a first application of the multiple applications is configured to migrate packets from the receiver packet memory by memory mapping the virtual file, the first application employing file system commands and handles to reference and to manipulate selected data in the receiver packet memory such that the virtual file is mapped in a read only mode to allow a second application of the multiple applications to access the selected data in the receiver packet memory, and wherein the capture system includes a control memory that provides a plurality of pointers to the receiver packet memory in order to allow access to the control memory by both the network interface driver and the first and second applications through an application interface. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A capture device comprising:
-
a receiver packet memory to store captured packets that include data; a network interface driver operating in a kernel of the capture device to read packets captured by a network interface module into the kernel by storing captured packets in the receiver packet memory in a wraparound fashion such that the packet is placed contiguously next to a last new packet received, and wherein the packet and the last new packet are stored as read only data in the receiver packet memory such that multiple applications can access the packets; and an application interface configured to expose the receiver packet memory to a first application of the multiple applications executing on the capture device by representing the receiver packet memory as a virtual file, wherein the network interface module and the network interface driver are configured on a kernel side of an operating system provisioned within the capture device, and wherein the applications reside on an application side of the capture device that is different from the kernel side, and wherein the first application is configured to migrate packets from the receiver packet memory by memory mapping the virtual file, the first application employing file system commands and handles to reference and to manipulate selected data in the receiver packet memory such that the virtual file is mapped in a read only mode to allow a second application of the multiple applications to access the selected data in the receiver packet memory, and wherein the capture device includes a control memory that provides a plurality of pointers to the receiver packet memory in order to allow access to the control memory by both the network interface driver and the first and second applications through the application interface. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory machine-readable medium having stored thereon data representing instructions that, when executed by a processor running an operating system kernel and at least one application, cause the processor to perform operations comprising:
-
reading a packet of data captured by a network interface by coupled to a network interface driver that provides a communicative interface between the network interface and a kernel of a capture system, the packet of data being part of a document that includes a plurality of objects that identify characteristics of the document, wherein the document is captured based on a capture rule that specifies the objects, and wherein the capture rule designates whether to discard or to store the objects of the document, and wherein the capture rule is part of a default rule sot for a capture system configured to monitor network traffic and capture the document; storing the packet in a receiver packet memory in a wraparound fashion such that the packet is placed contiguously next to a last new packet received, and wherein the packet and the last new packet are stored as read only data in the receiver packet memory such that multiple applications can access the packets, wherein the network interface and the network interface driver are configured on a kernel side of an operating system provisioned within the capture system, and wherein the applications reside on an application side of the capture system that is different from the kernel side; updating a head indicator, the head indicator identifying the last new packet in the receiver packet memory; and exposing the receiver packet memory to the application by representing the receiver packet memory as a virtual file wherein a first application of the multiple applications is configured to migrate packets from the receiver packet memory by memory mapping the virtual file, the first application employing file system commands and handles to reference and to manipulate selected data in the receiver packet memory such that the virtual file is mapped in a read only mode to allow a second application of the multiple applications to access the selected data in the receiver packet memory, and wherein the capture system includes a control memory that provides a plurality of pointers to the receiver packet memory in order to allow access to the control memory by both the network interface driver and the first and second applications through an application interface. - View Dependent Claims (15, 16, 17, 18)
-
Specification