Hardware nanosecond‐precision timestamping for line‐rate packet capture

Abstract

AbstractCybersecurity events occur frequently. When it comes to investigating security threats, it is essential to offer a 100 percent accurate and packet‐level network history, which depends on packet capture with high precision packet timestamping. Many packet capture applications are developed based on data plane development kit (DPDK)—a set of libraries and drivers for fast packet processing. However, DPDK cannot give an accurate timestamp for every packet, and it is unable to truly reflect the order in which packets arrive at the network interface card. In addition, DPDK‐based applications cannot achieve zero packet loss when the packet is small such as 64 B for beyond 10 Gigabit Ethernet. Therefore, the authors proposed a new method based on Field‐Programmable Gate Array (FPGA) to solve this problem. The authors also develop a DPDK driver for FPGA devices to make the design compatible with all DPDK‐based applications. The proposed method performs timestamping at line‐rate for 10 Gigabit Ethernet traffic at 4 ns precision and 1 ns precision for 25 Gigabit, which greatly improves the accuracy of security incident retrospective analysis. Furthermore, the design can capture full‐size packets for any protocol with zero packet loss and can be applied to 40/100 Gigabit systems as well.