Myricom logo

SNF API Reference

Sniffer Documentation

The Sniffer User Guide covers NIC and software installation as well as instructions on how to use Sniffer with libpcap-based applications. It is available from https://cspi.force.com/customersupport/

SNF API Reference

The SNF API is available for applications that require tighter integration than libpcap with Sniffer. When used in its simplest form, the library resembles Libpcap in that the implementation expects a single thread to make successive calls to a receive function (snf_ring_recv) to obtain the next available packet. Under a more advanced form, Sniffer implements a variation of the Receive-Side Scaling (RSS) feature that is present in some 10-Gigabit Ethernet drivers. However, Sniffer takes the additional step of implementing the RSS feature as multiple user-level zero-copy receive rings. Making the rings available in userspace provides two important advantages over all existing kernel-based packet capture solutions:

SNF API with Receive-Side Scaling

Sniffer translates the RSS feature into multiple rings in that data is hashed across many receive rings (or buffers or slices as is referenced in the myri10ge documentation). This feature assumes that users maintain a 1-to-1 relationship between user threads and rings. With each new call to snf_ring_recv, it is assumed that the previous packet in the ring has been completely consumed.

By default, the Sniffer implementation uses a deterministic hashing function to make sure that packets that are contained in a particular TCP or UDP flow are always delivered to the same ring (and hence to the same analysis thread). This hashing function resembles the hashing mechanisms used in existing RSS drivers.

SNF API with Duplication

While multiple rings are primarily designed to partition the incoming packet capture across multiple capture consuming rings, it is also possible to force each received packet to be duplicated into each ring such that every consuming ring obtains its own copy of every incoming packet. The duplication is handled by the Sniffer software on the host where there is typically plenty of memory bandwidth compared to the PCIe bus. Packet duplication can be enabled by setting the SNF_F_RX_DUPLICATE flag in snf_open.

SNF API with Port Aggregation (Merging)

With Sniffer 2.0, it is now possible to logically aggregate packets from two or more Ethernet ports. The functionality can be extended through to consumers that employ RSS or duplication. This feature can be enabled in snf_open by setting the SNF_F_AGGREGATE_PORTMASK flag and passing a bitmask of ports to aggregate in the portnum parameter. As a convenience, functions are also available to return portmasks for valid ports (snf_getportmask_valid) and active ports (snf_getportmask_linkup). As a result of calling snf_ring_recv, packets from one or more ports will be received.

Examples

Tests are available from bin/tests of the install directory in binary form and in share/doc/examples in source form. These tests mostly show different aspects of the SNF API and how to use its features.

snf_simple_recv.c: Simplest example of how to receive packets

snf_multi_recv.c: How to receive packets with multiple rings

snf_bridge.c: Example of how to use SNF to create a transparent bridge to analyze traffic on one device and replay it on another

snf_pktgen.c: How to generate packets for injection

snf_replay.c: Example that uses SNF-level injection to replay a .pcap capture file

snf_basic_diags: Basic internal diagnostics which can be useful to verify that everything works as expected (source code not available)

Myricom banner
Thu Jan 7 2021 14:20:25 - SNF 5.3.2.11.54430