Someone asked Tuesday if there exists a mobile platform for capturing traffic on a 10GbE link for analysis in real time. Although I’d not heard of anyone selling such a device or bundle I thought it might be an interesting exercise to outline the parts required, estimate the cost, and review what one might need to install. Note this is all theoretical as I’ve not the parts or the lab at this time to test this out. Also, and this is important, everything below could also be used to build an inexpensive packet generator for network testing. Here are further instructions for doing this activity as well.
With regard to equipment, the first criteria would be a laptop with a high-performance Core i7 processor with plenty L3 cache, considerable main memory, and sporting at least one Thunderbolt port. I’m partial to Apple platforms, but recently HP and others have jumped on the Thunderbolt bandwagon. Here are several options:
- Apple Macbook Pro 15″ with Retina Display, 2.8Ghz, Quad-core Intel Core i7, Turbo boost up to 4Ghz, 16GB memory, 1TB PCIE Flash disk. $3,199 from Apple.
- HP ZBook 15″ with Quad-core Intel Core i7-4800MQ, 32GB memory, 256GB SATA Flash Drive. $3,810 from CDW.
- Lenovo Thinkpad W540, 15.6″ display, Intel Core-i7-4700MQ, 8GB of memory, 500GB of disk, from Lenovo for $1,119.
While the Apple platform has only half the memory it has four times the disk, with a high-speed PCIe flash interface that is considerably faster than the SATA interface used by HP, so all things should balance out. I added the Lenovo as it too has a Thunderbolt interface, but with only 8GB of memory, and a spinning disk the overall system performance with regard to capture will be impacted, consider this the solution on a budget. After some additional checking the Thinkpad W540 can be easily be upgraded to 16GB for $166
. Since this system has four memory sockets you can actually buy two of these kits and run it up to 32GB
, which for what would then be a $1,500 laptop would be pretty sweet.
Next, we need an enclosure with an internal PCIe interface to house a 10GbE capture card. My favorite is the mLogic mLink
which sells for $399
, and can be purchased from several resellers or directly from Apple. This enclosure has a PCIe 16 lane socket inside, but only 4 lanes of PCIe Gen2 are actually wired up, which is fine. Thunderbolt is a 10Gbps connection and 4 lanes of PCIe Gen2 is theoretically 16Gbps, but after overhead is more like 12Gbps.
For a capture card, I’d use the Solarflare SFN7122F which can be purchased from CDW for $1,055
. This is a dual port 10G card that includes the necessary Open Unload license so you can also run Solarflare’s SolarCapture Pro capture driver (SFS-SCP) which is also available from CDW for $233
. Finally, if you want to leverage accurate time stamping of packets via Precision Time Protocol you should buy a PTP (SFS-PTP) license also from CDW for $194
Finally, every Boy Scout knows you should always be prepared & carry you own two meter 10GbE Direct Attach cable, also $82
from CDW. Ok, now for setup…
First, install Linux on the laptop, these are the supported versions of the capture driver: RHEL 5 & 6, SLES 10 & 11. I’d suggest something with a 2.6.32 or newer kernel.
After making yourself comfortable with the system, installing optional stuff, customizing, updating everything, etc… You’ll need to visit the SolarCapture support page
at Solarflare to install the capture driver & supporting code. First, you need to install Open Onload 201310-u1 or newer. I’d suggest at least 201405-u1. For good measure, I’d also install the Linux Utilities RPM on this page (version 184.108.40.2069 or newer). Finally, there is the SolarCapture SDK (version 220.127.116.11). All this covered in the SolarCapture Pro User’s Guide (SF-108469-CD) which can also be found on the same webpage. That includes setting up and configuring the software.
So for roughly $5K you can build a pretty robust mobile workstation that can record 10G traffic at wire-rate…