Packet Multiplexer (PMUX)

There are multiple Packet Multiplexers (PMUXs) in VMX-Capture.

Packet Multiplexers (PMUX) are consolidated packet filters (a packet filter is a single process that receives a specified stream from hardware filter). PMUX allow for traffic to be split out in numerous ways.

SmartNIC hardware, firmware, and software capture, buffer, filter, and route packets into packet streams. PMUXs then read packets from the streams. Usually there is one PMUX for each packet stream; however multiple PMUXs can share a packet stream for scalability. The packets received at a SmartNIC capture port can contain traffic from a tap, Mirror Port, or Packet Broker, and may contain a blend of packets from multiple applications and servers at multiple points in the network. Typically, VLAN tags are used to provide a means of representing multiple physical parts of a network infrastructure.

A PMUX gets packets from a source (a packet capture card or a file, for example). It hosts probes, which can filter packets of interest and process them, either by capturing to disk or by decoding and then performing further analysis.

The probes are hosted as separate threads within the same PMUX, for performance reasons. The PMUX will load a defined list of probes when it starts but can be configured to reload particular probes while still running.

Probes

Beeks Analytics uses probes to capture data from the wire, and it can both write these to disk and analyse them for useful information. Probes are positioned at visibility points in the network or application.

A Probe is an ultra-fast, lightweight capture mechanism within VMX-Capture which decodes and/or analyses traffic, delivering business objects and statistics to one or more Agents configured in Beeks Analytics.

A Visibility Point is a location in an application or network from which we want to capture data.

There are often multiple probes at one Visibility Point. More complicated monitoring setups using packet brokers may feature multiple visibility points, allowing point-to-point latency to be directly calculated across the network. VMX-Explorer allows you to choose which visibility point(s) you wish to report statistics from.

There are two types of probe in VMX-Capture:

  • Packet capture probes

  • Stack probes

Packet capture probes

Packet capture probes capture packets to disk to provide a store of the captured data, which users can then consult if needed for diagnostics or evidence. Packets are stored in pcap files compressed with Gzip. VMX-Capture can capture network data, without loss, to compressed pcap files at up to 200Gb/s sustained.

You can configure multiple packet capture probes in a typical VMX-Capture deployment.

Packet capture (to disk) provides the following:

  1. An absolute record of network traffic at packet-level. Use it as evidence in disputes, or if you need to go back to calculate some stats, or decode protocols that you didn't have decoders in place for at the time. Packet capture viewing tools (such as Wireshark) can be used to view the data in this repository, and VMX-Capture allows you to filter the capture files to the precise timing and BPF filter that you need.

  2. Market Data replay with mdPlay, in which we very accurately reproduce market conditions by replaying market data from these captures with exactly the same timings as the original.

To configure a Packet Capture probe, the Napatech card is configured with the data that the probe will listen for. The probe outputs files in pcap form that are compressed into gz archives. The file naming convention is [probename][timestamp].pcap.gz

A Packet Capture probe writes a new pcap file to disk at a configurable frequency, e.g. every 20 seconds (and/or capped at a maximum file size). The file location is a configurable capture directory in a capture repository.

In this document, we’ll cover the setup of a packet capture probe in the following sections, and we’ll also describe the vmxadmin commands, which help you to interrogate probe and PMUX performance.

Stack probes

A typical deployment of VMX-Capture includes multiple stack probes. They perform decoding of messages, timestamping, mapping, anomaly detection, and generation of pre-aggregated stats. They then send the decoded message, anomalies, and pre-aggregated stats to the Agent service in VMX-Analysis. They can also output data directly to the Core Data Feed.

Stack probes provide data for analytics in VMX-Analysis and capture the following types of information: 

  • Data about business objects (transmitted as Agent Events)
    For example, data relating to a quote, order, fill, heartbeat.

  • Latency stats
    For example, Market Data wiretime, TCP roundtrip.

  • Network stats
    For example, bandwidth per link, microbursts per port, loss, window size etc.

To configure a Stack probe, you’ll define a Berkeley Packet Filter (BPF) filter to determine what the probe will listen for. This will be packet-level data such as packet headers, TCP ports, or protocol types. Then you’ll set the data that will be passed to VMX-Analysis.

Stack probes are covered in more depth in VMX-Capture: Stack Probes, Aggregations, Statistics and Agent Events .

Probe and PMUX scaling

The main purpose of a PMUX is to ‘contain’ a range of different functions within, for a given stream of packets.

In very high performance systems you may need to scale traffic across multiple PMUXs, but in normal operation this is not required.

Probes may be split for performance reasons but are most commonly split by the protocol that they need to interpret. Each stack probe supports a fixed set of protocols, with a BPF filter defining the subset of traffic which it is processing with that stack.

The more functionality you build into each stack, the lower the traffic volume that stack will be able to process and so the more different stack probes you may need to deploy within the PMUX to process the desired volume of traffic.

See Capture Card streams for details of how the capture card configuration can be used to direct traffic to each individual PMUX.