TurboCap is feature-rich Gigabit Ethernet packet capture and injection solution with advanced features such as simultaneous full-rate capture and injection, multi port traffic aggregation, and a configurable pass-thru mode. Wireshark integration supports packet capture using TurboCap interfaces and off-line analysis of TurboCap capture files. A native TurboCap API and a WinPcap/libpcap API are available for writing/porting your own Gigabit Ethernet applications. TurboCap includes a PCI Express, Dual-Port or Quad-Port, Gigabit Ethernet Board, the TurboCap optimized driver, and a user-level API. TurboCap is available for Microsoft Windows® (XP and Vista) and Fedora® 10.
| ||TurboCap 2||TurboCap 4|
Full-Rate Traffic Injection
pairwise and ALL ports
from all the boards
pairwise and ALL ports
from all the boards
Full-rate Gigabit Ethernet Capture
Full-rate Gigabit Ethernet packet capture is most needed when your network is exhibiting poor performance. There could be many reasons for this including one in which your network is under attack. These are the times when it is important to be able capture traffic from your network without dropping any packets. TurboCap supports full-rate Gigabit capture with even the smallest packet sizes (64 bytes), which is the most challenging situation.
Aggregation of Gigabit Ethernet Traffic Sources
Capturing traffic in timestamp order from two different sources (e.g., a full-duplex link) is a common and important network analysis requirement. This is referred to as "aggregation" and provides a means to measure packet delays between multiple sources, such as the ingress and egress of a switch or router. TurboCap supports full-rate traffic aggregation of the traffic received on pairs of ports of the same board. This is presented to the user as a virtual port called a Board Aggregating Port (BAP).
TurboCap also supports aggregation of ALL of the ports on ALL of the TurboCap boards installed on your system. Specifically, with a single 4-port TurboCap board in a system, you can capture from each of the individual ports, from two, 2-port aggregation ports (ports 0 and 1 and ports 2 and 3), and an aggregation port corresponding to all 4 ports.
Often the preferred way to capture traffic is to tap into your network. TurboCap can emulate a network tap by being configured to inject the traffic received from one port to the other port on the same board. When the board in is in pass-thru mode, the injection is done simultaneously for pairs ports of the same board and, consequently, TurboCap can act as a Network Tap.
In the figure to the right, the gray blocks along the top edge represent a full duplex link with network traffic flowing in both directions. TurboCap, in pass-thru mode, can be inserted into a full duplex link in such a way that it preserves the traffic along the full duplex link. In the figure, Port A captures the traffic going from left-to-right, injects it back into the full duplex link through Port B, and also passes the captured traffic to user-level applications. On the other hand, Port B captures the traffic going from right-to-left, injects it back into the full duplex link through Port A, and also passes the captured traffic to user-level applications.
It is important to note that the combination of pass-thru mode and and board aggregation provides the functionality of an aggregating tap.
The TurboCap card and optimized driver are capable of capturing full rate Gigabit Ethernet traffic and delivering this data to an application. The overall application performance is often determined by a number of additional factors such as the application's computational tasks, disk write speed, CPU speed, and main memory size. TurboCap is integrated with WinPcap/ libpcap and, consequently, supports applications such as Wireshark, Windump/tcpdump, and Ntop. Note that when using these applications with TurboCap, the capture performance at high data rates will be determined by the specific application. For more information on Wireshark performance in various load scenarios, see http://wiki.wireshark.org/Performance.
Full-rate Gigabit Ethernet Traffic Injection
For stress testing your network, TurboCap offers full-rate simultaneous Gigabit Ethernet traffic injection. The TurboCap API is available for developing a wide range of traffic injection applications, e.g. vulnerability testing, etc. Packet sizes can range from 64 bytes to 9234 bytes (jumbo frames) and packets are transmitted in the order they are sent to the driver with minimal delay.
TurboCap offers a range of timestamp modes which trade timestamp accuracy for CPU utilization. You have the option of choosing the timestamp mode that best suits your needs, from highly accurate timestamps to no timestamp generation.
- Polling Mode. In this mode, a CPU polls for packet arrivals and timestamps the packet as soon as it is available from the board. These timestamps are very accurate (microsecond accuracy) but require a CPU to be running in a busy wait loop.
- Timer Mode. Timer mode uses a 1ms timer to periodically timestamp incoming packets. This puts very little load on the CPU and provides timestamps with millisecond accuracy.
- Off. In this case, no timestamps are generated and the timestamp fields in the packet meta-information are set to zero.
TurboCap Performance and Recommended Hardware
The TurboCap capture board and optimized drivers (Microsoft Windows and Fedora 10) are only two of the components that determine the overall capture performance of your system. The 2-port TurboCap board requires either a 4-lane or 8-lane PCIe host interface and the 4-port TurboCap board requires an 8-lane PCIe host interface. In order to achieve maximum performance of your TurboCap system, we recommend the following minimum hardware requirements:
- PCIe: Either x4 or x8 PCI Express slots depending on the TurboCap board
- CPU: Pentium-D (dual core) processor or multiple CPUs (SMP), 2.8GHz
- Memory: 2GB RAM
- Disk: Full-rate dump-to-disk requires disk arrays that have sufficient capacity and speed to keep up with full-rate Gigabit Ethernet. Disk capacity and speed can be achieved using highly parallel disk arrays.