scaling up your network monitoring · 2014. 10. 23. · new monitoring diagram tech exchange 2014....
TRANSCRIPT
![Page 1: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/1.jpg)
Scaling Up Your Network Monitoring: From the Garden Hose to the Fire Hose
Vincent StofferCyber Security Engineer
Technology ExchangeOctober 28, 2014
UNIVERSITY OF CALIFORNIA
![Page 2: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/2.jpg)
● Intro / overview● The problem● Device roundup and review● Cool new stuff● Discussion / Questions
Agenda
Tech Exchange 2014
![Page 3: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/3.jpg)
Lawrence Berkeley National Laboratory● Located in Berkeley, CA● "Bringing science solutions to the world"● Unclassified DoE research facility
operated by University of California● Functions much like a research
university
Overview
Tech Exchange 2014
![Page 4: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/4.jpg)
Tech Exchange 2014
![Page 5: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/5.jpg)
Tech Exchange 2014
![Page 6: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/6.jpg)
● ~5000 users ~10,000 hosts● Distributed computing resources● Many guests and visitors● Open network to enable
collaboration and research
Computing overview
Tech Exchange 2014
![Page 7: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/7.jpg)
Orders of magnitude changes in network speeds/bandwidth create big issues for network monitoring
What’s driving these changes?
The (scaling) problem
Tech Exchange 2014
![Page 8: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/8.jpg)
Tech Exchange 2014Courtesy Greg Bell, ESnet
![Page 9: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/9.jpg)
Courtesy Greg Bell, ESnet
![Page 10: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/10.jpg)
● <1G to 1G● 1G to 10G● 10G to 40G/100GThese transitions mean changing more than network equipment!
All of that means transitions
Tech Exchange 2014
![Page 11: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/11.jpg)
From 1G to infinity
● 1G is easy● 1-10G is mostly a solved problem● >10G is still evolving
Tech Exchange 2014
![Page 12: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/12.jpg)
● Input○ Tapping○ Aggregation & Load-balancing○ Filtering
● Output○ Analysis○ Bulk packet capture○ Filtering
Monitoring Pipeline
Tech Exchange 2014
![Page 13: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/13.jpg)
![Page 14: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/14.jpg)
● Commercialappliance vendors○ High performance○ Custom ASICs○ Flexible○ High cost per port
Aggregation/load balancing
Tech Exchange 2014
![Page 15: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/15.jpg)
Tech Exchange 2014
Apcons,10G monitordevices installed @LBL2007
![Page 16: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/16.jpg)
Not your typical IDS/IPS
● A monitoring platform○ A standalone network monitor○ A programmable framework○ An ecosystem
What is Bro? www.bro.org
Tech Exchange 2014
![Page 17: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/17.jpg)
![Page 18: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/18.jpg)
Tech Exchange 2014
![Page 19: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/19.jpg)
Everything running smooth
● Average traffic 1-3 Gbps● Peaks to 6-7 Gbps● There will always be some
amount of packet loss, try to minimize
● Then...
Tech Exchange 2014
![Page 20: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/20.jpg)
LBLnet redesign
● 100G border● Science DMZ● Redundant border routers● New distribution layer routers● All dual connected
Tech Exchange 2014
![Page 21: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/21.jpg)
New monitoring diagram
Tech Exchange 2014
![Page 22: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/22.jpg)
100G Berkeley Lab approach
● Duplicate our setup on 10G● Moving from duplication to
advanced aggregation● New device needed
Tech Exchange 2014
![Page 23: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/23.jpg)
● Filtering at ingress & egress● Port speed agnostic● Aggregation, symmetric load-
balancing● No oversubscription limits● API for dynamic filtering/shunting
100G Device wish list
Tech Exchange 2014
![Page 24: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/24.jpg)
● Filtering for arbitrary IP headers / TCP flags
● Every port can be input/output● Create port groups● Send output to load-balanced
groups and single ports● IPv6 support
100G Device wish list cont’d
Tech Exchange 2014
![Page 25: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/25.jpg)
● Commercial / Appliance● Commodity network (proprietary /
hybrid)● Commodity network + SDN● Roll your own
100G Monitoring device options
Tech Exchange 2014
![Page 26: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/26.jpg)
Tech Exchange 2014
Vendor Product 100G? Tested? Pros Cons
Gigamon HD series Yes No Good feedback
Cost!
cPacket cVue No Not at 100G LBL reference
Cost
Endace/Emulex
EndaceAccess
Yes Yes Form factor 2 devices, filtering, cost
Others: VSS, IXIA/Anue/Netopics, Apcon, ???
Appliance vendor roundup
![Page 27: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/27.jpg)
Tech Exchange 2014
![Page 28: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/28.jpg)
● Commodity network vendors● SDN/Openflow or tap
aggregation code (distribution, telemetry, DANZ, etc.)
● Lower cost per port● Massively scalable
The new hope...delivered!
Tech Exchange 2014
![Page 29: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/29.jpg)
Network vendor roundup
Tech Exchange 2014
Vendor Model 100G support?
Covers wish list?
Pros Cons
Arista 7150LANZ(7280)
Yes, with 2nd device
Yes API, GUI, SDN
2 devices, IPv6
Brocade MLXeTelemetry
Yes Yes Cost, SDN
No GUI or API, lower density
Cisco Nexxus ?Monitor manager
Yes Unknown, not tested
Cost? Cisco
![Page 30: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/30.jpg)
Tech Exchange 2014
![Page 31: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/31.jpg)
Tech Exchange 2014
![Page 32: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/32.jpg)
● We have not tested yet● Hoping to try on Arista / Brocade● Advantages over native feature
sets?● New apps like...
SDN / Openflow
Tech Exchange 2014
![Page 33: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/33.jpg)
● New project built off lessons learned with IU’s Flowscale
● “SciPass is an OpenFlow application designed to help network security scale to 100Gbps”
● http://globalnoc.iu.edu/sdn/scipass.html● Wednesday 1:30 session
Scipass
Tech Exchange 2014
![Page 34: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/34.jpg)
● Flexible interface including GUI● High density - 6 port 100G line card!● Easy to use API
○ dynamic shunting!● Relatively low cost● Lots of peers using
We chose Arista
Tech Exchange 2014
![Page 35: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/35.jpg)
Tech Exchange 2014
![Page 36: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/36.jpg)
Tech Exchange 2014
![Page 37: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/37.jpg)
● Filtering● Analysis
○ Ethernet cards○ Bro
● Packet capture
Output
Tech Exchange 2014
![Page 38: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/38.jpg)
● Elephant flows○ Control traffic
● Exclusions (IP pairs, netblocks, ports/protocols)○ Research networks / affiliates○ Resnet?
Filtering
Tech Exchange 2014
![Page 39: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/39.jpg)
● Dynamic ○ via Bro○ near real time○ via API (Arista) or scripting○ holy grail
Filtering cont’d
Tech Exchange 2014
![Page 40: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/40.jpg)
● Python program for shunting● Written by Justin Azoff● Uses Arista JSON API to limit to control
packets● Bro’s reaction framework feeds in data● Connection details are preserved
Dumbno
Tech Exchange 2014
![Page 41: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/41.jpg)
● Much more simple than SDN but not as flexible
● Small amount of code● Limited number of ACLs for now● Let Bro use the force
Dumbno cont’d
Tech Exchange 2014
![Page 42: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/42.jpg)
Tech Exchange 2014
![Page 43: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/43.jpg)
● pf_ring (LibDNA, zero copy)○ direct memory access to
network hardware○ high throughput○ supports multiple tools
Network cards - Intel
Tech Exchange 2014
![Page 44: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/44.jpg)
● Sniffer10G○ Support for Linux, FreeBSD○ Myricom 10G cards only○ Supports only one tool in 2.0
(multiple tools in 3.0)○ Company/IP in some flux
Network cards - Myricon
Tech Exchange 2014
![Page 45: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/45.jpg)
● Framework for high speed packet capture
● Kernel module for Linux and FreeBSD
● Will be testing soon as alternative to Myricom
Network cards - netmap
Tech Exchange 2014
![Page 46: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/46.jpg)
● Linux/FreeBSD traffic steering daemon based on netmap○ Load-balancing○ Duplication○ Filtering to multiple apps
● Starting to test
Bro Packet bricks
Tech Exchange 2014
![Page 47: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/47.jpg)
● Dynamic blocking via ACLD● All our security tools feed data● Nullroutes and ACLs on Border
routers● No interference with science
Blocking
Tech Exchange 2014
![Page 48: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/48.jpg)
Tech Exchange 2014
![Page 50: Scaling Up Your Network Monitoring · 2014. 10. 23. · New monitoring diagram Tech Exchange 2014. 100G Berkeley Lab approach Duplicate our setup on 10G ... Emulex Endace Access Yes](https://reader036.vdocuments.us/reader036/viewer/2022071413/610ba5c1226a164b96381755/html5/thumbnails/50.jpg)
Arista - http://www.aristanetworks.com/en/products/eos/danz
cPacket - http://cpacket.com/products/cvu/
Brocade - http://www.brocade.com/solutions-technology/service-provider/network-visibility/index.page
Endace - http://www.emulex.com/products/network-visibility-products-and-services/10040g-network-visibility-headends/features/
Cisco - http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/extensible-network-controller-xnc/solution-overview-c22-729753.html
SciPass - http://globalnoc.iu.edu/sdn/scipass.html
Dumbno - https://github.com/JustinAzoff/dumbno
pf_ring - http://www.ntop.org/products/pf_ring/
Myricom - https://www.myricom.com/software/sniffer10g.html
Netmap - http://info.iet.unipi.it/~luigi/netmap/
Packetbricks - https://github.com/bro/packet-bricks/
Bro - http://bro.org/
References
Tech Exchange 2014