Intelligent real-time network analysis
By Alan Rodger
Napatech is a leading provider of specialist network adapters that offer optimised, high-performance analysis and throughput, along with many other advanced features. Network performance is increasingly a focus of business attention, as many organisations have revenue-generating operations that closely depend on network capabilities. Napatech adapters are mostly marketed to providers of specialist network functionality (e.g. security or optimisation) that use the high-performance foundation to add further value, although a proportion of sales is to end-user organisations for whom network activities are particularly critical. Napatech adapters are used in replacement of the standard adapters supplied in servers, and can provide 1 Gbps or 10 Gbps throughput without affecting server CPU availability. Additional differentiating features include the guarantee of processing without any data loss, and the potential to segment traffic to up to 32 CPUs within the server. A large number of well-known network monitoring, management, and security tools use Napatech as the basis for their own value delivery. Butler Group sees Napatech’s high-end offerings as the gold standard for high-performance real-time network analysis adapters.
- Server CPU utilisation is minimal due to adapters’ on-board processing facilities.
- Guaranteed loss-free processing, even at top-speed throughput.
- Utilises up to 32 CPUs within the host server for traffic segmentation or load sharing.
- Offers multiple time synchronisation sources, as appropriate for industry-specific needs.
- Product options for capture-only, or in-line processing, applications.
- Capture or in-line options are available to meet different requirements.
Plans include support for IPv6, and an increase in throughput capability to 40 Gbps, as well as developments to take advantage of newer chip technologies and new market segments.
Napatech provides intelligent network adapters for real-time analysis of Ethernet and Internet Protocol (IP) networks. These are generally used to support the high-performance processing of network traffic needed by specialist applications, including networking products from vendors to which Napatech provides these adapters via OEM arrangements. The company’s network adapters provide full 1 Gbps and 10 Gbps line-rate packet capture with zero packet loss, no matter the packet size. The adapters are server-mounted, usually to augment or replace the network adapters supplied as standard with the server.
Variants of the adapters are available for two specific types of usage:
- Capture – i.e. as devices to capture traffic for processing by a separate application, such as network monitoring or intrusion detection, where no direct intervention in the traffic by the adapter is required.
- In-line – i.e. incorporating capabilities to modify traffic, such as are required for intrusion prevention, traffic shaping, or bandwidth control
Napatech network adapters provide a number of features for handling data traffic processing on the adapter itself rather than interrupting the host server’s CPU each time a packet arrives, which is typically the practice of standard adapters supplied with servers. Examples include packet decoding, tagging, and filtering, as well as zero-copy Direct Memory Access (DMA) to the host server’s memory buffer. These capabilities ensure that Napatech adapters incur less than 1% utilisation of the host server CPU for packet capture applications, and less than 5% utilisation of the host server CPU for in-line applications.
A differentiating feature of Napatech adapters is their ability to identify flow elements within the overall network traffic by their application type, and then segment such elements to up to 32 different CPUs (either via an allocation per flow element, or on a sequential basis). The adapters incorporate ‘hash key’ tables that support ready identification of different types of traffic, including different combinations of Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Protocol (IP) along with Multi Protocol Label Switching (MPLS) and Virtual LAN (VLAN). Support is also included for tunnelling mechanisms that are used for networks carrying mobile, Voice over IP (VOIP), and Virtual Private Network (VPN) traffic – these include Generic Routing Encapsulation (GRE), GTP (‘GTP prime’, an IP-based protocol used within mobile networks), and Control Transmission Protocol (SCTP). This allows different types of traffic to be given specific treatment, or can be used to provide support for parallel processing.
The performance advantages provided by Napatech adapters arise in improved, loss-free traffic throughput, and minimised use of the CPU on the server host (thereby allowing application performance to be prioritised). Napatech adapters are differentiated from standard adapters and server adapters that cannot provide full throughput (i.e. loss-free) performance at 1 Gbps and 10 Gbps line speeds for all packet sizes, while also supporting multiple traffic types and carrying out real-time analysis applications. Moreover, independent data shows that even Napatech’s competitors providing high-throughput adapters incur significant usage of the host server’s CPU, which increases as throughput levels rise, thereby potentially causing significant risk of processor contention with applications running on the host server.
Highly accurate time-stamping of stored or analysed network traffic is required for some application types (e.g. forensic analysis). These requirements are not met by standard or server adapters, which provide little if any support for time-stamping traffic. Also, industries are adopting different standards with respect to time-stamping (mobile telephony being one example with unique requirements). Napatech adapters provide precise time-stamping with 10ns accuracy from packet to packet, using up to six different time formats. Hardware time synchronisation across adapters is supported with 50ns accuracy, from pulse-per-second (PPS) output to adapters based on the Global Positioning System (GPS), Code Division Multiple Access (CDMA) as used by the mobile telephony industry, or IEEE1588 standards as used by the Internet’s timing servers.
Napatech adapters are designed for use in standard x86 server platforms. They comply with Peripheral Component Interconnect (PCI) specifications for half-length, full-height PCI slots. Standard network interfaces are used, either RJ45 electrical for 1 Gbps, Small Form-factor Pluggable (SFP) transceivers for 1 Gbps optical and electrical, and 10 Gigabit Small Form-factor Pluggable (XFP) transceivers for 10 Gbps optical. The 1 Gbps adapters include 4 x 1 Gbps bidirectional ports, while 2 x 1 Gbps bidirectional ports are available for 10 Gbps network adapters. The logic of the network adapter is implemented in FPGA (the field-programmable gate array chip type, which allows additional programming to be added to the logic that is installed at the time of manufacture). A standard Small Outline Dual In-line Memory Module (SO-DIMM) element of either 1 GB, 2 GB or 4 GB can be mounted on the adapter to provide buffering capabilities. All communication with the host application is via the PCI bus.
The internal architecture of the FPGA logic is based on the following elements:
- Each Ethernet frame is time-stamped once the entire frame has been received and verified.
- The frames from multiple ports can optionally be merged in exact receive order into a single host buffer.
- The packet decoder recognizes the L2/L3 and L4 header information and classifies each packet.
- Packet classification data is available in an extended packet header enabling fast application processing
- The filter can screen out certain packets based on filter configuration commands that can be changed on the fly.
- Hash-key generation allows flow identification and distribution to up to 32 host buffers (and thereafter the same number of CPUs).
- Each feed is zero-copied to the correct host memory buffer for application processing.
Additionally, within the adapters that offer Capture facilities, it is possible to re-transmit frames after analysis in a multi-CPU environment. Re-transmission is controlled using a single flag, which can be set by an application as a request for the adapter to undertake the re-transmission, providing a high-speed turnaround. On re-transmission the original Ethernet Cyclic Redundancy Check (CRC) field can be re-used, or a new CRC generated.
The Capture adapters can also be programmed to perform a local re-transmit on the adapter according to the programmed filters, so selected packets can be re-transmitted out to the network without involving the PCI bus at all, thus leaving more bandwidth for traffic routed to the host CPUs.
In-line adapters can also intelligently spread incoming traffic across up to 32 CPUs for parallel processing, and then merge the traffic after processing for outgoing transmission by the same adapter. This feature greatly improves latency in in-line devices such as Intrusion Prevention Systems (IPS) or firewalls. The adapters are also able to work as traffic generators, and can include in the traffic generated packets with configurable incoming time stamps, and programmable inter-frame gaps. This is especially useful for capture and replay scenarios where traffic patterns from a live network can be replayed later in the lab, or even speeded up (by reducing the inter-frame gap) to stress test other network components in the lab or on the network.
Napatech adapters focus on reducing to a negligible level the disadvantages that some competing offerings incur, while at the same time delivering an impressive range of features that provide real benefits. The extremely low level of CPU overhead taken by these adapters, even when processing the maximum level of throughput, is testament to their excellent design, and allows server resources to remain dedicated almost totally to business applications. The elimination of data loss is a real time-saver, and also increases the quality of service, while facilities such as the distribution of load and segmentation of traffic to CPUs also add value.
As more end-user organisations focus on online, revenue-generating services, those that choose to operate the requisite infrastructure in-house are highly recommended to consider Napatech adapters, which enable low-cost, commoditised servers to act as high-end network performance monitoring devices, and more.
Napatech states that customers’ evaluations typically take one to three days, and involve one Napatech Field Applications Engineer (FAE) helping someone from the customer organisation (who should have knowledge of the appropriate server operating system, and of API programming in C). Full adoption can involve the same resource profile but may require two to six weeks, mainly in undertaking the integration of existing application software with the Napatech API (a simplified task if the application uses a standard libPCAP interface). Multiple adapters can be installed on one server if required. The adapters can be installed in X86 servers running the following server operating systems:
- Windows Server 2003, 2008, or XP: 32-bit or 64-bit.
- Linux kernel 2.6: 32-bit or 64-bit.
- FreeBSD 6.x and 7.x: 32-bit or 64-bit.
Recent enhancements enable the Windows driver to match the performance attained by the other two, which Napatech claims is a differentiating characteristic of its products. Table 1 details the capabilities and configurations of the adapter models available from Napatech. The connection types available are PCI eXtended (PCI-X) and Peripheral Component Interconnect Express (PCIe), the high-speed, serial counterpart of the parallel PCI-X bus.
An auxiliary model (Optical Bypass Adapter) can be configured with the main range of models in order to allow traffic to continue to flow even if a fault arises with the main adapter. Commands can be submitted to the bypass adapter to initiate failover action in such an event. An alternative failover configuration is to cable each adapter to another server, so if the primary server goes down a secondary can be used.
Support is provided free. A Napatech FAE (these being based in Europe, California, and Massachusetts) is the first port of call for support. The company states that all FAEs are highly experienced and capable of providing software solutions at the application or driver level.
An online portal is available, where customers can access information and FAQ, register bug reports, and download the latest drivers, FPGA releases, and documentation in release packages. Bugs and errata are addressed according to priority agreed by contract with customers. Customers can request functionality to be included in upcoming releases of Napatech products via their discourse with sales representatives or FAEs.
Napatech focuses on markets that require real-time processing and analysis of high-speed Ethernet data, which includes those for network monitoring and analysis, network test and measurement, network management, network security, and network optimisation. In particular, Napatech’s In-line and Capture Adapters are most relevant where their hardware acceleration is needed for full-strength throughput performance, and where data integrity is paramount (as Napatech’s products eliminate data loss via incorporation of on-board memory to accommodate sudden increases in traffic density). Direct sales to OEM network appliance vendors in these markets account for 90% of sales revenue, with the remainder arising from indirect sales to end users (mainly in the military, government, financial, and higher education markets, or Internet Service Providers).The indirect sales are via Napatech’s Value Added Reseller partners, namely nPulse in the US, and Hi-AXXess in Europe.
The company sees its major market opportunity arising from the growth in importance of network-centric services such as Voice over IP, IP-based television, and cloud computing, all of which will require a stronger focus on network metrics and performance to ensure satisfactory levels of customer service. Competing solutions include standard adapters (e.g. from Intel), server adapters (e.g. from Chelsio, Neterion, or Myricom), other real-time analysis adapters such as those from Endace, or other alternatives such as those from Network Instruments and Bivio.
Licensing is via a straightforward per-unit fee, which includes support and free upgrades. An entry-level offer includes a month’s free trial with the option to purchase at list price after that time (i.e. US$9,900 for the NT20E, US$3,850 for the NT4E). Napatech’s positioning is that its products are intended to exceed the capabilities of legacy Network Processing Unit (NPU) and monitoring adapters, while being priced significantly lower than these alternatives (taking into account ownership costs relating to NPUs, i.e. programming), and indeed nearer to the cost of standard or server adapters. Product plans include support for Internet Protocol v6 late in 2009, continued hardware upgrades to take advantage of new developments in field-programmable gate array (FPGA) chips, new market segments such as advertising driven by network characteristics, and an increase in throughput to 40 Gbps.
Napatech was founded in 2003, with the same market focus as its objective that it retains now. It states that it was the first company to introduce a 10 Gbps intelligent network adapter with real-time analysis to the market, in 2004. It acquired the intellectual property of in 2006, which formed the basis for Napatech’s PCI-X series of 1 Gbps network adapters.
Napatech is privately held, its investors including three Scandinavian venture capital companies. As such, its detailed financial results are not published, but it states that it has been profitable since 2006, and that it has quadrupled its revenue during this period, and increased its staff from 17 in number to 51 people. Dozens of customers use the Napatech products as key OEM’d capabilities within products that span a number of solution market segments including real-time network monitoring and analysis, network security monitoring and logging, network testing and measurement, and network management (in all cases, covering Ethernet network traffic specifically). As a result, the products are already used by thousands of organisations, and Napatech claims to protect over 40,000 port connections.
The company’s headquarters are in Copenhagen, Denmark, where Research and Development (R&D) is also based. However, Napatech has been focused on the US market from an early stage in its business, and has had an office in Mountain View, California since 2003, as well as having established new US headquarters in Andover, Massachusetts in 2006. Business in the US is now responsible for 80% of Napatech’s revenue. Establishing offices in Asia (where
Napatech already has some customers) is one of the company’s next growth steps.
Napatech adapters augment commodity servers with functionality and capabilities to enable them to fulfil traffic acceleration, line-speed monitoring, and other network monitoring and improvement tasks.They are mostly used by specialist vendors as part of value-adding products undertaking security and networking tasks, but also are purchased by a number of end-user organisations for whom network performance is business-critical. This portion of the user base is likely to grow as more organisations look to establish revenue-earning online services – especially so because the Napatech adapters are priced lower than many offerings that have similarly high-level capabilities.
The Napatech adapters are certainly of market-leading standing, being capable of the highest levels of throughput, but without degrading performance on the server host, and therefore saving on server costs. Butler Group has no hesitation in recommending, to any organisation with requirements in this market area, to evaluate the options from Napatech.