Hardware nanosecond‐precision timestamping for line‐rate packet capture

Cybersecurity events occur frequently. When it comes to investigating security threats, it is essential to offer a 100 percent accurate and packet‐level network history, which depends on packet capture with high precision packet timestamping. Many packet capture applications are developed based on data plane development kit (DPDK)—a set of libraries and drivers for fast packet processing. However, DPDK cannot give an accurate timestamp for every packet, and it is unable to truly reflect the order in which packets arrive at the network interface card. In addition, DPDK‐based applications cannot achieve zero packet loss when the packet is small such as 64 B for beyond 10 Gigabit Ethernet. Therefore, the authors proposed a new method based on Field‐Programmable Gate Array (FPGA) to solve this problem. The authors also develop a DPDK driver for FPGA devices to make the design compatible with all DPDK‐based applications. The proposed method performs timestamping at line‐rate for 10 Gigabit Ethernet traffic at 4 ns precision and 1 ns precision for 25 Gigabit, which greatly improves the accuracy of security incident retrospective analysis. Furthermore, the design can capture full‐size packets for any protocol with zero packet loss and can be applied to 40/100 Gigabit systems as well. A novel Field‐Programmable Gate Array (FPGA)‐based method of high‐precision timestamping is proposed for line‐rate packet capture applications such as the security incident retrospective analysis, which greatly improves the key performance metrics of such applications. The method can achieve 4 ns or 1 ns timestamp accuracy for 10/25/40/100G Ethernet systems, and can capture any size of packets for any protocol with zero loss. Moreover, the method develops a DPDK driver for FPGA devices, making it compatible with all DPDK‐based applications.