EtherTAP - An AF_XDP based Ethernet TAP

 

What is this? #

EtherTAP is a software based Ethernet analysis and monitoring security tool which allows to obtain insight and to record selected (or all) traffic for further analysis and evaluation. EtherTAP is based on IXDP, which is an internal API at Inlab Networks on top of libxdp/AF_XDP. XDP/AF_XDP in zero-copy mode allows packet processing at wire-speed up to 100GbE full duplex.

EtherTAP operates in one of the following operational modes:

  • Mirroring Mode (sometimes called SPAN - Switch Port ANalyser - mode): In this case EtherTAP is connected with a single NIC to a port on a switch which has been configured as a mirroring port. Packets are solely being read, no packets are being injected.

  • Bridging Mode: In this mode EtherTAP acts as a networking bridge between both sides. This adds a small additional latency and jitter, but the presence of an inserted EtherTAP remains practically undetectable. This mode alllows fault injection simulating a defective link for protocol and application robustness testing (and potential other purposes).

Features #

  • Multithreading with up to 8 threads in busy polling IXDP/XDP mode, where one thread is operating on its own queue. One single thread/queue is already fully sufficient to handle 10GbE in bridging mode at wire speed.

  • MAC address RX statistics for each interface with direct vendor information and identification of locally administered MAC addresses (LAA).

  • Ethertype statistics with VLAN nesting up to 4 levels (0x8100 802.1q and 0x88a8 QinQ 802.1ad).

  • RPCL CLI

  • Fault injection in bridging mode simulates a defective link for protocol and application robustness testing. The following fault propabilities are adjustable at runtime for all or a configurable set of MAC source addresses:

    • Propability of packet loss
    • Propability of packet content corruption
    • Propability of packet length corruption (shortening and extending)

  • Dropping selected MAC source addresses, changable at runtime.

  • A very fast shared memory packet queue allows forwarding to a packet collection application without affecting IXDP packet processing performance. This packet queue is designed as a “multi producer - multi consumer” type of queue.

EtherTAP Project Status and Release Date #

EtherTAP is currently being tested with various NIC drivers. Documentation, manual pages and Linux distribution packaging are on the way. However, a final release date has not yet been fixed.

For recent informations see also the EtherTAP tagged posts @ blog.inlab.net