The rise of remote work highlights cybersecurity and ethics issues, making organizations adopt numerous tools to keep businesses safe from hackers, malware, and leaks. Given the scale of damage caused by all sorts of troubles that may occur in or via corporate networks, looking for a potential attack is a paramount task, just as making sure that the performance of apps, services, and employees is up to appropriate business standards.

Packet capture me if you can

Packet analyzing is among the most efficient ways to detect threats and check the overall network condition. The objectives are achieved with the help of packet capture devices enabled to ‘extract’ the traffic coming to or from any given address and check anything about it, from a history of requests to the time of reaction of apps and services. Packets of traffic can be captured, recorded, indexed at the administrator’s request or periodically – or an organization may opt for continuous stream capturing, depending on how crucial it is for a business to analyze it. After the data is captured, and if problems are detected, an organization may proceed with urgent steps to handle them and use the captured information in the future for deeper analysis.

Sounds optimistic and straightforward. But there must be some challenge, right?

Yes. The more data you need to analyze, the more performance is demanded from the packet storage devices, which is hugely impacted by the types of drives used and their restrictions. One of the most significant issues in this field is writing sequential data directly to storage with consistent performance. Data capture devices must record data directly at more than 12 GB/s to prevent packet loss when using 100 Gb/s networks, which sounds too much of a task, as most SSDs are optimized for random rather than sequential workloads.

Only NVMe-based solutions can handle such workloads. Unfortunately, due to the prevailing opinion that it is impossible to create an effective fault-tolerant RAID on NVMe in most cases, reliability is sacrificed for performance. Most continue to use non-NVMe hardware and software in RAID 0 configuration (losing reliability) or RAID 10 (losing cost-effectiveness).

It’s a new ERA for NVMe

There’s no need for such a sacrifice, though, as a specialized RAID software solution comes into play. When developed to realize a specific protocol’s potential (NVMe in this case), the software can overcome reliability issues and performance bottlenecks that NVMe-based systems are prone to.

RAIDIX ERA embodies a perfect solution for packet capture appliances. Its software RAID is presented by a Linux kernel module and management utility, making it highly compatible. ERA features include innovative RAID technologies based on proprietary algorithms that provide stable and fast performance. With I/O handling parallelization and lockless datapath, ERA maximizes NVMe capabilities, squeezing up to 97% of their possible performance, keeping CPU and RAM usage at a low 10-20%. 

Developed with NVMe architecture in mind and dealing great with sequential operations, RAIDIX ERA is way more efficient. It shows better performance than other RAID solutions such as Intel vROC, hardware controllers, and software RAIDs.

It’s worth saying a few words about RAIDIX itself. The company has been developing software-defined storage solutions for data-intensive tasks since 2009. What makes RAIDIX products different from others are proprietary RAID technologies programmed specifically for enterprise storage environments. Their prowess has been proved by successful uses cases, such as implementing software RAID solutions for autonomous vehicles or nearly doubling the performance of kdb+ databases.

What tests say

As mentioned above, for many RAID 0 or RAID 10 are configurations of choice. Sadly, the former brings high speed alongside sheer reliability fears, while the latter provides performance with bills to pay for the extra hardware. Being able to challenge the write speeds of the riskier or more expensive RAID levels in RAID 5 configuration gives RAIDIX ERA an upper hand — but this certainly needs to be proved.

One example is RAIDIX solution for data logging in autonomous vehicles. The task of recording all the data from every car’s sensor is way too challenging for the absolute majority of server platforms and RAID solutions. Why? Because the write performance has to be extremely high, while the size of the server platform is preferred to be as small as possible. These two criteria left no room for any drives but the brand new SSDs. But even with such top-notch equipment it had remained tricky. Not long ago a full-scale data-logging solution with just 12-16 SSD or NVMe drives was hard to come by, given the needs of data processing and PCIe limitations back in the early and mid-2010s. But since PCIe 4.0 introduction in 2019, things have changed. Nice and small server platforms became suitable for data-logging purposes in terms of performance, and their compact size was exactly what the manufacturers of autonomous vehicles and specialized solutions were looking for.

So this type of PCIe 4.0-based solution was chosen, with RAIDIX aboard, for specialized data-logging server platform tests by StorageReview. The storage system, powered by ERA engine, equipped with NVMe drives and configured as RAID 5 demonstrated sequential read transfer speeds as high as the similar system with no redundancy (in RAID 0 configuration). Also, despite redundancy, it delivered two-thirds of RAID 0’s sequential write speed — which is a powerful result for a cost-effective and fault-tolerant RAID 5.

Autonomous vehicles may present a kind of top-level task, but if you’re not dealing with these and need a performance boost, just add a few SSDs, and PCIe 3.0 will still do the job. But with RAIDIX ERA it will be an excellent type of job, and a few will not be a handy euphemism for dozens. Below we have another case of RAIDIX ERA being way more efficient with NVMe drives in RAID 5 configuration than MDADM, a standard RAID management tool by Linux.

Why You Should Build A Packet Capture Device Into Your Network Before You Build Your Trust In It

System configuration (information disclosed):

CPU: Intel(R) Xeon(R) Gold
Motherboard: Supermicro
Sequential block size: 128k

8 WD SN640 NVMe SSD in RAID5 for both RAIDIX and MDADM

MDADM is completely outclassed and doesn’t seem to be a viable solution for NVMe storage at all, be it data logging, packet analyzing, or any other performance-demanding task.

Another benchmark addressed the old guard approach. Why not go with a hardware controller? It has always brought great performance, they say. Well — as we can see below — the performance gap is in ERA’s favor.

Why You Should Build A Packet Capture Device Into Your Network Before You Build Your Trust In It

System configuration (information disclosed):

CPU: AMD EPYC 7702P

OS: Oracle Linux 8.3
8 WD SN640 NVMe SSD in RAID5 for RAIDIX, MDADM, and MegaRAID

Kernel: UEKR6 (5.4.17-2036.101.2.el8uek.x86_64)

How come that software RAID nearly triples the hardware RAID’s performance on writes — and almost reaches the baseline numbers, with one drive left for parity compared to all-drives baseline mode?

It goes down to ERA’s core design principles, which eliminate the bottleneck of architectural limitations that PCIe switches put on overall performance due to lane oversubscription. That increases costs, adds another hardware layer between the CPU and drives, and imposes performance limitations.

There’s no such bottleneck when there’re no PCIe switches needed at all, as it happens in software-defined storage.

To bring both simplicity and high performance, RAIDIX had developed and stuck to their unique data path approach that takes full advantage of NVMe and PCIe throughput, to NVMe enthusiasts’ great joy — finally, their drives will make a substantial difference. Add to this flexibility, zero hardware costs, and all-vendor compatibility of the ERA software. Also, it’s worth noticing that software RAID is now the only solution to support NVMe-oF JBOF devices for disaggregated storage. MDADM, again, performed poorly compared to RAIDIX ERA.

Finally, RAIDIX conducted ERA tests in its laboratory to determine if the system could stay within or above 12-13GB/s in RAID 50 10-drives NVMe configuration for packet capture devices purposes. It was shown clearly that those numbers are achievable:

Why You Should Build A Packet Capture Device Into Your Network Before You Build Your Trust In It


System configuration (information disclosed):

CPU: Intel(R) Xeon(R) Gold
Motherboard: Supermicro
SmartNIC Napatech
File System: XFS
Sequential block size: 128k
Number of streams: 64
Queue depth: 32
RAID level: 50
Micron 9300 MAX NVMe SSDs

As the interface tells, RAIDIX experts were willing to emulate a real-life functioning of packet capture apps using the fio tool — flexible I/O tester — and the Netkeeper utility for testing.

Conclusion

As a solution for packet capture devices, RAIDIX ERA allows building a network analysis infrastructure without balancing between performance and reliability. This is made possible by using a fault-tolerant RAID 5, which ERA practically equals to RAID 10 or even RAID 0 in terms of performance, and keeps it as economical as RAID 5 is supposed to be. This, ironically, may bring a couple of new worries — about the speed of archiving all that data to external systems or about the resilience of those archives. These are worries that seem to be much more enjoyable, though.

Previous post

DeepMind claims its new code-generating system is competitive with human programmers

Next post

Deepdub closes fresh round for dubbing AI that dubs movies, shows, and games