EtherTAP - An AF_XDP based Ethernet TAP

 

What is this? #

EtherTAP is a software based Ethernet analysis and monitoring security tool which allows to obtain insight and to record selected (or all) traffic for further analysis and evaluation. EtherTAP is based on IXDP, which is an internal API at Inlab Networks on top of libxdp/AF_XDP. XDP/AF_XDP in zero-copy mode allows packet processing at wire-speed up to 100GbE full duplex.

EtherTAP operates in one of the following operational modes:

  • Mirroring Mode: In this case EtherTAP is connected with a single NIC to a port on a switch which has been configured as a mirroring port. Packets are solely being read, no packets are being injected.

  • Bridging Mode: In this mode EtherTAP acts as a networking bridge between both sides. This adds a small additional latency and jitter, but the presence of an inserted EtherTAP remains practically undetectable. This mode alllows fault injection simulating a defective link for protocol and application robustness testing (and potential other purposes).

Features, so far: #

  • Multithreading with up to 8 threads in busy polling IXDP/XDP mode, where one thread is operating on its own queue. However, one single thread/queue is already fully sufficient to handle 10GbE in bridging mode at wire speed. Testing results for 40GbE and 100GbE are not yet available.

  • MAC address RX statistics for each interface with direct vendor information and identification of locally administered MAC addresses (LAA).

  • Ethertype statistics with VLAN nesting up to 4 levels (0x8100 802.1q and 0x88a8 QinQ 802.1ad).

  • RPCL CLI with daemon background operation if desired (see RPCL)

  • Fault injection in bridging mode simulates a defective link for protocol and application robustness testing. The following fault propabilities are adjustable at runtime for all or a configurable set of MAC source addresses:

    • Propability of packet loss
    • Propability of packet content corruption
    • Propability of packet length corruption (shortening and extending)

  • Dropping selected MAC source addresses, changable at runtime.

  • Forwarding of selected packets as a stream to a small helper process, which then writes PCAP files (or PCAP format to stdout) for further analysis. This packet stream uses the local loopback interface for single directional IPC transport to avoid bandwidth issues.

More available soon.