This invention relates to network interface devices for performing packet capture at a host data processing system.
Packet capture is an important tool for network management and is used for many monitoring and troubleshooting purposes. With increasingly many applications, especially those in financial services, operating with very aggressive quality of service and jitter requirements, packet capture can provide a means of performing application level performance tuning and diagnostics by recording a log of packet activity on application data flows. Packet capture can further satisfy the requirements of regulatory compliance that exist in financial services, such as the logging of trading messages to and/or from a server.
Packet capture commonly requires hardware timestamp support, especially if a precision of tens of nanoseconds is to be achieved, which in turn requires the use of network time synchronisation protocols such as IEEE 1588 v2. Furthermore, the high speeds of modern networks (such as 1, 10 or 40 GbE) has resulted in the development of dedicated hardware packet capture devices for performing packet capture of received data flows by processing received data packets into a standard format logfile, such as PCAP. For example, Napatech's network analysis adaptors support high speed packet capture at up to 20 Gb/s. However, such devices terminate the network flows they receive and therefore rely on the network architecture itself to be configured to provide duplicate data flows to the packet capture devices. This is conventionally achieved through the use of high speed switches (e.g. via a spanning port) arranged to duplicate the data flows which a packet capture device is intended to capture. The parent data flow from which the duplicate flow is made is delivered to the appropriate endpoint in the normal manner. Furthermore, dedicated packet capture devices that stream capture data into host memory typically rely on a complex interface to the host which is primarily concerned with supporting the high data rates of the capture streams and does not guarantee uninhibited data flow for other applications supported at the capture system.
The conventional use of network switches to provide duplicate data flows for packet capture has several disadvantages:                i. it requires the use of expensive switches and the architecture of the network to be designed to ensure that the data flows to be captured are routed via the switches at which the data flows are to be duplicated—it can be particularly expensive to engineer a network such that all data flows are monitored at a packet capture device;        ii. since the duplicated data flow and its parent data flow take different paths through the network to their respective endpoints, the packet capture device does not measure the jitter for the parent data flow downstream from the switch, which is in fact the data flow intended to be monitored;        iii. furthermore, because the parent and duplicate data flows take different paths, the packet capture device actually measures the jitter experienced by the duplicate data flow, which can include contributions from the network fabric downstream from the switch on the path of the duplicate data flow;        iv. packet capture devices are a point of traffic aggregation in a network and must therefore make use of high end link technologies if they are to cope with the convergence of many data flows in a high volume network—this makes conventional packet capture devices expensive.        
Some switches, such as Cisco's IOS switches supporting Embedded Packet Capture, provide the ability to perform packet capture at the switch itself. However, this does not address problems (i), (ii) or (iv) and requires the captured data to be streamed across a network for storage, which can itself lead to increased jitter and congestion on the links supporting the monitored data flows.
There is therefore a need for an improved packet capture device that addresses one or more of these problems.