FlowScope: Efficient packet capture and storage in 100 Gbit/s networks

Tools to capture and analyze traffic are found in every network operator's toolbox. Traffic dumps are essential to the process of debugging network issues and for network forensics. Capturing traffic is a performance-intensive and challenging task for high-speed networks. Therefore, network operators often rely on sampling a random subset of the traffic instead of capturing the network traffic in its entirety. Sampling is not always suitable, for example, network forensics applications require a full dump of the traffic to determine the source of an attack. We present FlowScope, a tool to continuously capture and store packets in an in-memory ring buffer. A filtered subset of the acquired packets can be dumped to disk if a specified trigger event occurs. We report benchmark results of 120 Gbit/s with 128 byte packets. This is achieved by using a novel ring buffer data structure that is optimized for high packet throughput. FlowScope is available as free software under the MIT license at https://github.com/emmericp/FlowScope.