Load-Balancing and Filtering

The Endace art of driving multiple monitoring applications from a single monitoring platform depends largely on two key traffic management components: A hash load balancer (HLB) and a filter rules engine. In standard parlance, the HLB function looks at incoming IP flows (specifically the 64 bit IPv4 source and destination address range) and creates a small digital ‘fingerprint’ - or hash value - by applying an algorithm (CRC-32) to that portion of the IP packet.

The hashed output is entered into comparatively small look-up tables which can be accessed very quickly when checking for future matches. The hashing function alone ensures that identical IP flow inputs can be mapped to a common FIFO buffer within a distinct memory hole prior to processing by the associated CPU core application.

This characteristic enables stateful, connection-oriented mapping from a single input stream (the interface) to multiple output streams in the direction of the CPU cores; analogous to an inverse multiplexer.

Endace capture products also include layer 1 (port), layer 2 (i.e. Ethernet) and layer 3 (IP to 5-levels / 5-tuple) filtering capabilities, which can both directly guide traffic to a specific CPU’s memory hole and play a role in load balancing when combined with a logic output element of the hashing function. [i.e. IF port=x AND filter=y1 OR filter=y2 AND hash=z THEN cpu=1.] Alternatively, these filters may simply discard the traffic as required.