TurboCap Frequently Asked Questions

TurboCap is a feature-rich, full-rate, Gigabit Ethernet capture and injection solution available for the Windows and Linux platforms. Based on a either a dual-port or quad-port Gigabit Ethernet board, TurboCap comes with an optimized driver that supports full-rate Gigabit capture and injection and is fully integrated with WinPcap/libpcap and, consequently, supports open source applications like Wireshark®, Windump, tcpdump and Ntop.

The granularity is on the order of several microseconds (3-5 micro seconds).

The timestamping/capturing loop runs on a thread that is bound to one CPU (the last one in the system, with the current version of the driver).

They are all given the same timestamp.

Packets are timestamped in software when they are received by the host. Although the resolution that we use in the timestamp provided with each packet is nanosecond, the actual precision in Polling Mode is on the order of several (3-5) microseconds, and depends on a number of factors (including the CPU load on the machine). This is valid as long as you use the polling timestamping mode. If you use the “timer” timestamping mode, the precision is around 1ms.

No.

Yes, packets with FCS errors are passed.

If you choose the Per-Packet-Information (PPI) linktype in the Wireshark capture options, then Wireshark will natively display per-packet errors when used with TurboCap.

TurboCap captures packets with correct and wrong FCS, and the FCS is always available to capturing applications. TurboCap also returns the following errors (on a per-packet basis):

- invalid Frame Check Sequence (FCS)
- sequence error. A valid delimiter sequence consists of Idle->start-of-frame(SOF) ->data,
- >pad(optional) – >end-of-frame(EOF) ->fill(optional) ->idle
- symbol error
- data error
Please understand that, if you are currently using WinPcap to receive packets, by default WinPcap will return packets captured with TurboCap as bare Ethernet packets with the FCS, but it will not return the above mentioned errors. If you want per-packet errors, you will need to slightly modify your application to:
1) receive packets encapsulated in PPI. PPI (Per Packet Information) is a header that gets prepended to every packet and contains meta information like the errors and the frame check sequence presence.
2) make your packet dissection code take PPI into consideration.
Alternatively, you can switch your application to make use of the TurboCap native API that exposes all the features of TurboCap.

The TurboCap Developer's Pack doesn't ship with any examples of how to dissect packets. There are some examples of simple packet dissection in the WinPcap Developer's Pack, however, available at http://www.winpcap.org/devel.htm.

Yes.

The source code for the dump application is not available.

Filtering, at the moment, is implemented in user mode through the WinPcap API. You can change the filter on the fly using pcap_setfilter.

Yes, TurboCap can do full line rate capture if used with at least 4 PCIe lanes.

A Pentium-D (dual core) 2.8GHz CPU, 2GB RAM, 50MB free disk space on the hard drive plus additional space for capture (trace) files. Disk performance is key to full-rate packet dump to disk. A PCI-Express 4x or 8x slot with 4 lanes for the TurboCap adapter. Our test platform has six 250GB, 7200rpm HDD with SATA RAID0 (i.e. striping).

The problem with 16x graphic slots is that, in some cases, the board will not use 4 lanes (since TurboCap is a PCIe 4x card) but instead it will just use 1 lane. The card will work, but will not be able to go full speed. We have asked Intel about this, and they have stated that this is "normal". The 16x slot is made specifically for graphics cards (in fact it's called PEG, PCI Express Graphics) and works at 16x only with graphics cards.

If you have a PCIe 16x Intel card already installed in the slot, you can probably get the negotiated PCIe link width if you have installed the Intel driver + Intel PROSet for Windows Device Manager (it comes with the Intel cards). In order to determine this, go to the device manager: right-click on my computer, click properties, then go to "hardware" tab and click on "Device manager" (Windows XP) or click on "Device manager" on the left (Windows Vista).

Expand the "network adapters" item. You should have four items, one for each port of your QuadPort 1000/PT card. Right click on one of them, choose properties. Go to the "Link Speed" tab, and click on "identify adapter". The new dialog will give you the negotiated PCIe link width. If you don't have the "Link Speed" tab, it means that you just installed the drivers without the Intel PROSet for Windows Device manager.

TurboCap acts as a switch with the 2 ports operating at the same speed, so the answer to your question is “yes”.

A dual core processor is strongly suggested as a minimum requirement, but the software will definitely work (even better in some scenarios) on a machine with 8 cores.

At the moment, the only way to check which timestamping mode is in use is through the TurboCap Control Panel. Future versions of the TurboCap API (but maybe not the next one) will have a flag allowing you to change and query the timestamping mode programmatically.

That is the correct behavior. The TurboCap driver uses all of the CPU to operate correctly. The current version of the driver "steals" a CPU even when no capture is in progress. The next version of the driver will steal the CPU only when you start a capture with TurboCap.

Yes, TurboCap supports capturing on 2 separate LANs because it has 2 separate Ethernet ports that work independently.

Officially, TurboCap supports XP, Vista and Windows 7 only. In practice, we've been successfully using it on Windows Server 2003 in-house without any problem.

For live capture from a TurboCap port directly to another party analyzer, the analyzer must be based on WinPcap. Otherwise,the third party analyzer must support the pcap file format to read a trace file created by TurboCap.

At the moment, we do not have any tool to replay a capture file with TurboCap. However, in the TurboCap Developer’s Pack (available from http://www.cacetech.com/downloads.html), you can find a sample called HighSpeedTransmitter that allows you to transmit packets at the maximum packet rate. It's not possible to transmit packets at a specified rate because TurboCap does not support scheduled transmission of packets.

TurboCap can do full rate if used in a PCIe slot wired with at least 4 lanes. Regarding the disk, we do not have a minimum specification for the HDD (or bus). In our own tests, we use a HW SATA RAID controller from Adaptec (PCIe 4x), connected to 6 SATA hard drives.

Wireshark and tcdump dump packets to disk when capturing. If the disk is not fast enough, you can definitely lose packets, and the behavior during the packet loss can be unpredictable, especially when the capture is done with Wireshark. This is because:

1. Wireshark decodes packets while capturing (this actually depends on how Wireshark has been configured)
2. Wireshark uses the normal FILE APIs to dump to disk. These make use of the OS file system caching (tcdump disables file system caching for the dump file for the duration of the capture). Caching can impact the overall capture performance.
If you are not using a RAID unit, we suggest:
1. Dump to a separate disk (not a different partition, a completely separate disk).
2. Reboot the machine after the two tests (tcdump/wireshark) in order to wipe out the OS file system cache.
Tcdump can capture multi gigabyte files with no issue. The limitation is just the amount of free space on the HD. In our tests, we usually have 30-40GB files ( we dump a saturated 1Gbps link to a RAID system for long periods of time). If you would like to use an alternate capture utility that parses the data into files, you can use dumpcap: http://www.wireshark.org/docs/man-pages/dumpcap.html.

Yes, if the slot is a standard 16x one. Several motherboards have a 16x slot reserved for graphics (usually called PEG, PCI Express Graphics). If you put the TurboCap card (or any other non graphics card) in that slot, it will typically operate at 1x. This is not a limitation of the TurboCap card, but rather a "limitation/feature" of the motherboard itself.

No.

Yes! A Fedora Linux driver is available on our Downloads page.

AMD64 (also called EM64T or x64) means that we support 64bit processors in the AMD family, as well as 64bit x64 processors from Intel (i.e., all the Intel processors sold in current PCs). The only processor that we do not support is the Itanium.

Regarding the use of a fiber card, the TurboCap driver supports the Intel card provided with the TurboCap package. If you need to use TurboCap on a fiber link, you will need to buy a fiber to copper adapter.

You don't need to configure anything to use the aggregate mode - it's always enabled (that's why there is nothing related to it in the Control Panel). For example, Wireshark and tcdump will list both the separate ports and the board aggregating port. If you want to work in aggregation mode, i.e., capture from both the physical ports at the same time, please choose the port called Board Aggregating Port, as shown on page 16 of the TurboCap User's Guide.

It's definitely possible to create two instances capturing from the same port, they will receive the same traffic. As far as performance is concerned, it basically depends on what you do with the packets, but it shouldn't cause problems (not more than opening one single instance and then duplicating to two different processing paths in your application).

TcDump.exe is the old libpcap format (Ethernet only). TcDump_ng.exe is the new pcap ng file format recently developed here that allows mixing of wired and wireless packets, annotation of packets and more. The dump file format is available at:
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

Yes.

No, at the moment we do not ship the compiled version of the samples. We can provide them if you need them, though. Just send a request to info@cacetech.com.

At the moment there is no native TurboCap API to filter packets, and the easiest way to filter them is the one that you have proposed. Future versions of TurboCap might support filtering.

5ms is definitely too high. Did you set the timestamping mode to polling mode? If not, please switch to polling mode. The latency should improve significantly and, in switching to polling mode, you will not increase the likelihood of dropping any packets that pass through the card.

The driver is compatible with WinPcap which is compatible with libpcap (but it's Windows).

No. The board does not support hardware pass-thru.

The CPU load is definitely lower in this case, so the jitter in the generated timestamps is expected to be lower.

The capture starts when you hit the start button on Wireshark, and stops when you hit the stop button.

Yes, as long as you use the normal Ethernet encapsulation. If PPI encapsulation is used (e.g. to get the interface Id in case of aggregating ports), filtering is not supported.

The version of Wireshark shipped with the TurboCap installation CD (v1.4) is the official Wireshark 1.2.5. Typically the latest version of Wireshark can be used with TurboCap as well. As far as WinPcap is concerned, TurboCap ships with the publicly available 4.1.1 build.

We cannot guarantee such timestamp precision.

There are no filtering capabilities *within* the driver, but it's possible to filter the captured traffic with the TcDump utility as well as with wireshark/tshark.

Usage: tcdump.exe filename [-f ] [-p ] [-e] [-s ]

filename name of the file to dump to
-f filter string, in the libpcap/tcpdump format (e.g. \"tcp port 80\")
-p name of the port to capture from.
-e when capturing from an aggregating port, save the ID of the physical ports for each packet.
-s save only the first bytes of each packet.

The TurboCap Software Distribution includes the TurboCap Windows Driver, Manuals, and a Developer’s Package. The Developer’s Package is for users who are interested in developing their own applications based on the TurboCap API and includes a large number of sample applications. One very important included application is “Dump-to-Disk”, which has been optimized for high-speed capture to disk.

At the moment, tcdump doesn't offer any feature to split the capture into multiple files. We’re definitely considering adding this option, but need to address a couple of minor issues when switching from one file to another that could cause packet loss.

Not with the current hardware. There's no Express Card or PCMCIA version of the card.

Not directly. You need to use a fiber to copper adapter for this.

It's difficult to say why this happens. Running the sniffer application on the production server itself is not usually a good idea, because the server applications (e.g. apache or IIS) compete with the sniffer system for the CPU and, possibly, disk resources. It's always advisable to run the sniffer on a separate machine through the normal WinPcap or with a TurboCap card.

When transmitting on the two ports at the same time at full speed, the driver may or may not keep up, it depends on the hardware. On one of our test machines with an Intel dual core 2.8GHz CPU, our test application can generate more than 990Mbps with small packets. On another machine, with a quad core Xeon at 2.33GHz (running an x64 version of Windows), we transmit full rate.

The CPU utilization is a bit tricky. The TurboCap driver uses one CPU 100% in a polling loop. So what you see in the Task Manager is that the last CPU of the system is always 100% used. What actually happens is that the driver uses all the free cycles of that core to run the board. If a process needs that core, the OS will schedule a process on that core as well.

In the case above (transmitting small packets at 1Gbps), the CPU load for the transmission application *per port* is the following:

(Intel dual core 2.8GHz): around 50% of 1 core per transmitter
(Intel Quad Core Xeon 2.33GHz): around 20% of 1 core per transmitter.

Yes. Depending on the specific hardware of the PC, it can saturate a 1Gbps link with small packets (64bytes Ethernet packets including FCS, around 1.5M packets/s).

There is a custom API to talk with the board. No sockets.

The driver supports both x86 and x64 machines (it does not support Itanium). Although the driver should work on Windows Server 2008, it's not a supported platform at the moment. The supported platforms are Windows 7, Windows Vista and Windows XP x86 and x64.