• Stars
    star
    176
  • Rank 216,987 (Top 5 %)
  • Language
    C
  • License
    Other
  • Created about 10 years ago
  • Updated over 8 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A netmap-based packet layer for distributing and filtering traffic.

README

Packet Bricks is a Linux/FreeBSD daemon that is capable of receiving and distributing ingress traffic to userland applications. Its main responsibilities may include (i) load-balancing, (ii) duplicating and/or (iii) filtering ingress traffic across all registered applications. The distribution is flow-aware (i.e. packets of one connection will always end up in the same application). At the moment, packet-bricks uses netmap packet I/O framework for receiving packets. It employs netmap pipes to forward packets to end host applications.

Before running packet-bricks, please make sure that you have installed the netmap driver successfully. You should first try running the sample pkt-gen binary (that is available in the netmap's examples/) directory to see if the driver is operational. The netmap module is continuously being updated with enhancements and bug fixes (as is common for all open source tools including packet bricks). Before using packet bricks, please make sure that you have downloaded and updated the netmap kernel module with its latest version. The netmap authors suggest building the netmap module into the kernel for performance reasons. You can download the latest netmap driver from the following link: https://github.com/luigirizzo/netmap.

The following guide provides a walkthrough of the /usr/local/etc/bricks-scripts/startup-*.lua files and also explains what this system is capable of.

                    					    	     _________
                    						        |	      |
                    						        |  APP 1  |
                    						        |_________|
                    				   	  eth3}0     /
          	   	    	      	      ______________/
          	   	    	      	     |
          	   	    	      	     |		         _________
          	   	    	      	     |    eth3}1    |	      |
          	   	    	      	     |  ____________|  APP 2  |
          	   	    	      	     | |            |_________|
   1/10 Gbps link     	     	     | |	
   |||||||||||||| ------->eth3{PACKET-BRICKS}	     _________
                				     | |  eth3}2    |	      |
                				     | |____________|  APP 3  |
                    				 |  		    |_________|
                				     |
                				     |    eth3}3
                	 			     |_____________  
                    				     		   \
                        						    \_________
                        	      			        |	      |
                    	                            |  APP 4  |
                                				    |_________|

Figure 1: A sample packet-bricks instance redirecting ingress traffic from eth3 to 4 userland applications using a LoadBalancer brick

User can start the program by running the following command:

# bricks [-f startup_script_file]

To start the program as a daemon, either type:

# bricks -d [-f startup_script_file]

OR

# bricks-server [-f startup_script_file]

If the system is executed as a non-daemon, it opens a LUA-based shell. Type the following command to print the help menu:

	bricks> BRICKS.help()
	BRICKS Commands:
    	    help()
    	    print_status()
    	    show_stats()
            shutdown()
          Available subsystems within BRICKS have their own help() methods:
          pkteng

Alternatively, the user can run bricks-shell to access the interface shell to communicate with daemonized bricks-server.

You can hit Ctrl+D to exit the bricks-shell client. To gracefully turn the daemon off, the user may enter the following command to exit the program:

	bricks> BRICKS.shutdown()
	Goodbye!

Packet bricks relies on netmap pipes to distribute traffic across multiple applications. Some OSes have netmap pipes disabled by default. Please use the following command to enable netmap pipes (if needed) in a packet bricks session:

	bricks> utilObj:enable_nmpipes()

In packet-bricks, the most important component is the pkteng module. It manages the reception and distribution of ingress traffic coming through an interface. Once instantiated, the pkteng module spawns a thread that starts the packet reception process. After running packet-bricks again, use the following command to create a pkteng instance, pe:

	bricks> pe = PktEngine.new("e0")

The "e0" field is internally used by packet-bricks as pkteng's ID. You can delete the pkteng instance by running the following command:

	bricks> pe:delete()

The pkteng instance can be instantiated with the possibility of affinitizing the engine thread to an arbitrary cpu core id:

	bricks> pe = PktEngine.new("e0", 1024, 1)

The last parameter affinitizes the module to CPU 1 once the engine thread starts reading packets. In packet-bricks, ingress traffic can be manipulated with packet engine constructs called "bricks". Currently packet-bricks has the following built-in bricks that are available for use:

  1. LoadBalancer: Brick that may be used to split flow-wise traffic to different applications using netmap pipes.

  2. Duplicator: Brick that may be used to duplicate traffic across each registered netmap pipe.

  3. Merge: Brick that may be used to combine traffic between 2 or more netmap pipes.

  4. PcapReader: Brick that may be used to read ingress traffic from a pcap dump file.

  5. PcapWriter: Brick that may be used to redirect ingress traffic to a pcap dump file.

  6. Filter: Brick that can be used for traffic shaping. It accepts remote requests over the network using Bro's broker library. The message bundle is created using the NetControl protocol. This can only be used when Packet bricks is compiled with broker plugin.

A packet engine can be linked to any of these bricks with any combination/configuration of user's liking. Please see the scripts/ example directory to see how bricks can be used to run variants of such packet engines.

The succeeding text uses a simple load balancing brick ("LoadBalancer") to show how packet-bricks runs. A freshly instantiated packet engine can be used to link the LoadBalancer as:

	bricks> lb = Brick.new("LoadBalancer", 2)
	bricks> lb:connect_input("eth3")
	bricks> lb:connect_output("eth3{0", "eth3{1", 
				  "eth3{2", "eth3{3", "eth2")
	bricks> pe:link(lb)

This binds pkteng pe with LoadBalancer brick and asks the system to read ingress packets from eth3 and split them flow-wise based on the 2-tuple (src & dst IP addresses) metadata of the packet header. The "lb:connect_output(...)" command creates four netmap-specific pipes named "netmap:eth3{x" where 0 <= x < 4 and an egress interface named "eth2". The traffic is evenly split between all five channels based on the 2 tuple header as previously mentioned. Userland applications can now use packet-bricks to get their fair share of ingress traffic. The brick is finally linked with the packet engine.

One can always unlink the brick by running the following command:

	bricks> pe:unlink()

If the user is content with the packet engine setup, he/she can bypass unlinking and start the engine:

	bricks> pe:start()

The engine will start sniffing for packets from the interface promiscuously. You can use the following command to get the run-time packets-related statistics from the engine:

	bricks> pe.show_stats()

Sample applications (e.g. netmap's pkt-gen) can read ingress traffic from packet-bricks using following command line arguments:

	$ sudo ./pkt-gen -i netmap:eth3}0 -f rx &
	$ sudo ./pkt-gen -i netmap:eth3}1 -f rx &
	$ sudo ./pkt-gen -i netmap:eth3}2 -f rx &
	$ sudo ./pkt-gen -i netmap:eth3}3 -f rx &

Please note that you cannot unlink a brick from the pkteng while the engine is running. To stop the engine, please run the following command:

	bricks> pe:stop()

For user's convenience, the packet-bricks package comes with a reference LUA script file: please see scripts/startup-*.lua files for details. You can also use the following command to load the script file in packet-bricks at startup:

# bricks -f /usr/local/etc/bricks-scripts/startup-one-thread.lua

OR

# bricks-server -f /usr/local/etc/bricks-scripts/startup-one-thread.lua

The user is recommended to skim through the script file. It is heavily documented. The scripts directory also contains code for running a 4-threaded version of the pkteng (see /usr/local/etc/bricks-scripts/startup-multi-threads.lua).

New

We have created 2 new tools that can quickly set up (i) load-balancer, and (ii) duplicator.

i) The user can use bricks-load-balance to split traffic for a given interface. Example usage:

$ bricks-load-balance eth3 4

The example above will split traffic on netmap-enabled interface, eth3, to 4 netmap pipe channels named eth3}0, eth3}1, eth3}2 and eth3}3.

ii) The user can use bricks-duplicate to duplicate ingress traffic for the given interface. Example usage:

$ bricks-duplicate eth3 4

The example above will duplicate traffic on netmap-enabled interface, eth3, to 4 netmap pipe channels named eth3}0, eth3}1, eth3}2 and eth3}3.

Connecting with broker

Packet bricks can be configured to accept remote requests via the broker communication module. Users can perform simple traffic shaping tasks by issuing requests to specific Filter bricks. Packet bricks uses NetControl protocol for this purpose. A user can refer to each Filter via the output netmap pipe name of the brick.

Troubleshooting

Packet bricks is still in development stages. While we welcome feedback, we suggest that you refer to the following pointers before contacting the authors for bug reports.

  1. Please install the required libraries mentioned in INSTALL file. As the system is still under active development, the program may exhibit unexpected behavior if libraries are not installed.

  2. The README file in the netmap/ directory contains pointers on how to enhance packet I/O performance. We suggest you to follow their guide for extracting maximum performance out of packet bricks as well.

  3. Some users have reported erroneous behavior when executing tcpdump with netmap-libpcap patch. tcpdump has compatibility constraints with libpcap. Please refer to http://www.tcpdump.org/#old-releases to verify which tcpdump version should be linked with the latest netmap-libpcap release. At the time of writing, the latest netmap-libpcap version is 1.6.0. The compatible tcpdump version for this release is 4.6.0.

  4. Please report further bugs to: [email protected]

More Repositories

1

zeek

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
C++
6,303
star
2

spicy

C++ parser generator for dissecting protocols & files.
C++
244
star
3

packages

The default package source of the Zeek Package Manager. Wrote a package? See the README for how to get it included.
127
star
4

zeek-agent

This project is no longer maintained. There's a successor at https://github.com/zeek/zeek-agent-v2
C++
125
star
5

zeek-osquery

Bro/Zeek integration with osquery
95
star
6

zeek-docker

Docker files for building Zeek.
Dockerfile
85
star
7

binpac

High level language for describing protocol parsers.
C++
69
star
8

broker

Zeek's Messaging Library
C++
64
star
9

bro-scripts

Misc. Bro scripts
Bro
64
star
10

zeek-agent-v2

Open source endpoint agent providing host information to Zeek. [v2]
C++
61
star
11

zeekctl

Tool for managing Zeek deployments.
Python
53
star
12

bro-plugins

(OBSOLETE) Plugins for Bro
53
star
13

pysubnettree

A Python Module for CIDR Lookups
C++
50
star
14

cheat-sheet

The Bro/Zeek language cheat sheet
49
star
15

cmake

CMake scripts used in Zeek
CMake
48
star
16

zeek-docs

Documentation for Zeek
Zeek
48
star
17

package-manager

A package manager for Zeek
Python
42
star
18

time-machine

Time-Machine Dynamic Bulk Packet Recorder
C++
35
star
19

paraglob

A fairly quick data structure for matching a string against a large list of patterns.
C
34
star
20

zeek-training

Zeek Training Materials/Products
Zeek
34
star
21

zeek-af_packet-plugin

Plugin providing native AF_Packet support for Zeek.
C++
33
star
22

spicy-analyzers

Growing collection of Spicy-based protocol and file analyzers for Zeek
32
star
23

zeek-aux

Zeek Auxiliary Programs
Shell
25
star
24

trace-summary

Generates network traffic summaries.
Python
21
star
25

btest

A Generic Driver for Powerful System Tests
Python
20
star
26

zeek-sublime

Zeek scripting language highlighting/support for Sublime Text
Zeek
19
star
27

zeek-netcontrol

Connectors for the Zeek NetControl framework
Python
19
star
28

try-zeek

Code for try.zeek.org.
JavaScript
18
star
29

bro-live

Bro Live! A Bro training/learning environment.
Groff
14
star
30

zeek-agent-framework

This project is no longer maintained. There's a successor at https://github.com/zeek-packages/zeek-agent-v2
Zeek
14
star
31

broccoli-python

(DEPRECATED) Python bindings for Broccoli
Python
13
star
32

capstats

A tool to get some NIC statistics.
C++
12
star
33

spicy-ldap

LDAP analyzer
Zeek
10
star
34

zeekscript

A toolchain to parse, analyze, and format Zeek scripts
Python
9
star
35

vim-zeek

Vim syntax highlighting for the Zeek scripting language (.zeek and .bro files)
Vim Script
8
star
36

broccoli

(DEPRECATED) Bro Client Communications Library
C
6
star
37

spicy-plugin

Spicy plugin for Zeek
C++
6
star
38

bromagic

(OBSOLETE) Custom libmagic database for Bro
TeX
5
star
39

zeek-netmap

Native Netmap Packet IOSource for Zeek
C++
5
star
40

bifcl

Built-In-Function (BIF) Compiler/Generator for Zeek
Yacc
4
star
41

zeek-benchmarker

Python
4
star
42

zeek-3rdparty

Third-party code used in Zeek.
C
4
star
43

zeek-client

Experimental implementation of Zeek's future cluster management client
Python
4
star
44

tree-sitter-zeek

A tree-sitter grammar for the Zeek scripting language
JavaScript
4
star
45

zeek-archiver

A Zeek log archival service
C++
3
star
46

zeek-demo

Go
3
star
47

zeek-pkg-web

Web viewer for packages maintained by the Zeek Package Manager, e.g. https://packages.zeek.org
PHP
3
star
48

package-website

New version of packages website
Python
3
star
49

spicy-http

Spicy-based analyzer for the HTTP protocol
CMake
3
star
50

broccoli-ruby

(DEPRECATED) Ruby bindings for Broccoli
Ruby
3
star
51

zeek-testing

Test baselines for Zeek.
Makefile
3
star
52

package-template

A Zeek package template for use with the zkg package manager
Python
3
star
53

action-zkg-install

A GitHub Action for testing and installing Zeek packages
Shell
2
star
54

spicy-pe

Spicy-based analyzer for the Portable Executable (PE) image format
Zeek
2
star
55

emacs-zeek-mode

An Emacs major mode for editing Zeek scripts
Emacs Lisp
2
star
56

brogments

A Pygments lexer for Bro/Zeek scripts
Python
2
star
57

zeek-package-ci

Python
2
star
58

spicy-aux

Auxiliary development support for Spicy
Shell
1
star
59

spicy-png

Spicy-based analyzer for the PNG file format
CMake
1
star
60

hello-world

A "hello world" Zeek package
Shell
1
star
61

spicy-dhcp

Spicy-based analyzer for the DHCP protocol
CMake
1
star
62

spicy-zip

Spicy-based analyzer for the ZIP file format
Zeek
1
star
63

broccoli-perl

(DEPRECATED) Perl bindings for Broccoli
Perl
1
star
64

spicy-dns

Spicy-based analyzer for the DNS protocol
CMake
1
star
65

gen-zam

A templator for the Zeek Abstract Machine
C++
1
star
66

zeek-testing-cluster

External testsuite for the Zeek Cluster Controller
Shell
1
star
67

website

Issue tracking for zeek.org
1
star
68

tree-sitter-zeek-src

Generated sources for https://github.com/zeek/tree-sitter-zeek
C
1
star
69

homebrew-zeek

Homebrew tap for Zeek subprojects
Ruby
1
star
70

spicy-tftp

Zeek package providing a Spicy-based TFTP analyzer
Zeek
1
star