Network flow analysis & DPI | Grovf WireHex Applications

Astghik Nalchajyan
grovf
Published in
4 min readAug 30, 2021

Introduction

In the times of high-speed networks, DPI faces a range of challenges for traffic processing. Modern CPUs are not capable of handling 100Gbps+ rates in-line, therefore DPI servers require ASIC-based decoding and regular expression engines to enable 100Gbps+ speeds.

Organizations that want to take advantage of DPI’s benefits will need additional solutions to boost their efficiency and maximize data processing speed.

More: Advanced Deep Packet Inspection & Analysis | GROVF WireHex

Combining network analyzer with firewall and DPI features, GROVF offers WireHex — Deep Packet Inspection & Analysis Tool that achieves exceptional efficiency for the analysis of 100 Gbps network traffic with a single server.

As for the accuracy of data capture and the depth of analytics, WireHex allows 100 Gbps real-time bandwidth with 99 percent data retrieval precision.

Solution overview

WireHex relies on a Grovf smart network card built on an FPGA and acts as a transparent network device that conducts advanced network analysis, DPI, and firewall operations. The device may block packets based on header information and search the transmission’s content using more than 20,000 programmable rules (regular expressions).

Furthermore, WireHex enables packet blocking based on network provider-defined rules and records all data into Elasticsearch DB with the Kibana visualization system, assuring they make the most of traffic insights.

Solution architecture

The solution consists of 3 parts:

  1. IP-Core of WireHex implemented on a NIC FPGA custom chip.
  2. Host drivers which interact with DPI configuration and data logging to the database.
  3. Client interface with charts, graphs, and other monitoring details.
WireHex System Architecture

Use Cases

Network flow analysis

As a network security solution, Wirehex is applicable for deep flow analysis. Network flow data are high-level records that provide info about the endpoints of Internet connections and the amount of data transferred, without any access to the actual data. Since flow data collection and analysis happens to have higher trackability compared to deep packet inspection, flow monitoring has become common for a number of network management applications, including anomaly and intrusion detection.

Wirehex is meant to monitor all the connections that are passing through the data center in real-time and detect anomalies. This system stands out by not only identifying network connections but also evaluating the intensity among them.

Wirehex is proven to be successful in retrieving metadata (Packet Count, IP/Ports, Traffic Direction, Bandwidth, Protocol type, etc) for each unique IP1:IP2 pair over the 100 Gbps network where no packet can get unnoticed. Due to custom hardware implementation database limitations are prevented thus metadata aggregation is achieved in real-time.

Network Analyzer and Anomaly Detection: GUI examples

Our more recent efforts relate to presenting statistical biases in configurable charts of top-loaded destination IPs, Source IPs, IP pairs, and to using Machine Learning to identify anomalous hosts.

In order to create more robust modes of anomaly detection and superior models of Internet traffic, WireHex analyzes the structural characteristics and dynamics of graphs generated from flow data. Such a structural approach to flow analysis shows patterns in Internet traffic that would be difficult to detect using more traditional methods.

Deep packet inspection

As widespread use as flow-based analysis has, there are some areas where packet capture and analysis are required. Deep packet inspection (DPI) applies to technologies that employ packets as a data source before retrieving metadata such as application or website identifiers. Flow analysis, on the other hand, almost never provides any details as to what is included within packet payloads.

While flow analysis can assist establish broad traffic statistics, it falls short when it comes to analyzing a single interaction in depth. Therefore, it is also essential to employ packet capture techniques to ensure network security since they allow us to examine the actual packets involved in client dialogues and pinpoint the underlying cause of an issue.

Here is where WireHex comes in — equally applicable for Deep Packet Inspection (DPI) and Deep Flow Analysis. This system carries on Deep Packet Inspection at a 100 Gbps line rate. The uniqueness lays under the fact that this technology helps detect and match the same payloads over a network of DPI servers using smart footprint generation. Extending the capabilities of standard DPI, Wirehex can match the generated packet of an end-user with a receiver side, even if there is a third-party server in between (100k+ simultaneous footprints).

Key benefits

  1. DPI and Network Monitoring at 100Gbps with a single Network Card.
  2. L2 — L7 payload checking with 20 000 simultaneous rules.
  3. Packet filtering with the user regexp rules.
  4. Two-way network transparent mode.
  5. Integration with Elasticsearch and Kibana for data analytics.
  6. 100K footprints matching
  7. Support for various protocol encapsulation

Conclusion

At the intersection of network flow analysis and deep packet inspection, GROVF offers WireHex that achieves exceptional efficiency for the analysis of 100 Gbps network traffic. WireHex enables 100Gbps network real-time data analytics and the retrieval of sophisticated statistical information, reaching ~99% data visualization accuracy.

Whether you want to monitor the packet header and the intensity of connections, or you want to troubleshoot vulnerability problems with the full packet detail, Wirehex is a solution for your computing needs.

--

--