Probe TCP Performance

Overview

The WhiteOwl Probe is a high-performance Go-based network flow probe that captures packets, aggregates them into flows, and exports via IPFIX with TCP performance metrics.

Implementation	Throughput	CPU Usage	Notes
Go/gopacket	500k-1M+ pps	~5-10%	Native concurrency

Key Features

Packet capture using gopacket/libpcap
5-tuple flow aggregation
TCP performance metrics (RTT, retransmits, window sizes)
Bounded SYN cache for cross-flow RTT measurement

Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                         WhiteOwl Probe                               │
│  ┌──────────────┐    ┌──────────────┐    ┌──────────────────────┐  │
│  │   Capture    │───▶│  Flow Table  │───▶│   IPFIX Exporter     │  │
│  │   Engine     │    │  + SYN Cache │    │   (UDP to collector) │  │
│  └──────────────┘    └──────────────┘    └──────────────────────┘  │
│         │                   │                       │               │
│         ▼                   ▼                       ▼               │
│    gopacket/pcap     Thread-safe map         Enterprise fields     │
│    BPF filters       LRU eviction            PEN 99999             │
└─────────────────────────────────────────────────────────────────────┘
                                │
                                ▼ IPFIX/UDP
┌─────────────────────────────────────────────────────────────────────┐
│                      goflow2 Collector                              │
│                    (Template + Data Records)                        │
└─────────────────────────────────────────────────────────────────────┘
                                │
                                ▼ Kafka (flows_raw)
┌─────────────────────────────────────────────────────────────────────┐
│                       Flow Enricher                                 │
│                      (Flow Tagging)                                 │
└─────────────────────────────────────────────────────────────────────┘
                                │
                                ▼ (flows_tagged)
┌─────────────────────────────────────────────────────────────────────┐
│                        ClickHouse                                   │
└─────────────────────────────────────────────────────────────────────┘

Components

1. Capture Engine

Handles packet capture using gopacket with libpcap.

Key Features:

Configurable interface, snap length, promiscuous mode
BPF filter support
Zero-copy packet processing where possible
Decode layers: Ethernet, IPv4, TCP, UDP

2. Flow Table

Thread-safe flow aggregation with bounded SYN cache.

Flow Key (5-tuple):

type FlowKey struct {
    SrcIP    [4]byte
    DstIP    [4]byte
    SrcPort  uint16
    DstPort  uint16
    Protocol uint8
}

SYN Cache:

Bounded to 100,000 entries (configurable)
LRU-style eviction (oldest 10% when full)
30-second TTL for stale entries
Keyed by reverse tuple for SYN-ACK lookup

Flow Expiration:

Inactive timeout (15s default) — Flow idle, export and remove
Active timeout (60s default) — Long-lived flow, export snapshot, reset counters, keep flow

3. TCP Performance Tracking

Metrics Tracked:

Metric	Description
`min_rtt_us`	Minimum RTT in microseconds
`max_rtt_us`	Maximum RTT in microseconds
`avg_rtt_us`	Average RTT in microseconds
`retransmit_count`	Number of retransmitted segments
`min_tcp_window`	Minimum advertised window
`max_tcp_window`	Maximum advertised window

RTT Measurement:

Handshake RTT (Cross-flow) — SYN → SYN-ACK timing using global SYN cache
Data RTT — Track outstanding sequence numbers, measure data → ACK pairs (same-flow only)

Retransmit Detection:

// A retransmit is when we see a sequence number below our highest seen

TCP State Machine:

New → SynSent → SynAckSeen → Established → FinWait → Closed

4. IPFIX Exporter

Exports flows using IPFIX (RFC 7011) with enterprise fields.

Template Record (sent periodically):

Standard Fields (62 bytes base):
- sourceIPv4Address (4 bytes)
- destinationIPv4Address (4 bytes)
- sourceTransportPort (2 bytes)
- destinationTransportPort (2 bytes)
- protocolIdentifier (1 byte)
- packetDeltaCount (8 bytes)
- octetDeltaCount (8 bytes)
- sourceMacAddress (6 bytes)
- destinationMacAddress (6 bytes)
- tcpControlBits (1 byte)
- flowStartMilliseconds (8 bytes)
- flowEndMilliseconds (8 bytes)
- ingressInterface (4 bytes)

Enterprise Fields (PEN 99999, 20 bytes):
- Field 1: min_rtt_us (4 bytes)
- Field 2: max_rtt_us (4 bytes)
- Field 3: avg_rtt_us (4 bytes)
- Field 4: retransmit_count (4 bytes)
- Field 5: min_tcp_window (2 bytes)
- Field 6: max_tcp_window (2 bytes)

Configuration

config.yaml

capture:
  interface: "eth0"           # Network interface
  promiscuous: true           # Capture all packets
  snap_len: 128               # Bytes per packet (headers only)
  bpf_filter: ""              # Optional BPF filter
  buffer_size_mb: 64          # Kernel buffer size

export:
  collector_ip: "192.168.100.132"
  collector_port: 2055
  domain_id: 1                # IPFIX observation domain
  template_id: 256            # Template ID (256-65535)
  template_interval: 300s     # Template re-send interval
  active_timeout: 60s         # Max flow duration before export
  inactive_timeout: 15s       # Idle time before export
  interface_index: 1          # SNMP-style interface index
  track_tcp_performance: true # Enable TCP metrics

Command Line Options

./chompy-probe -h
  -config string       Path to config file (default "config.yaml")
  -interface string    Override interface from config
  -collector string    Override collector IP from config
  -list-interfaces     List available network interfaces
  -debug               Enable debug logging

Overview​

Key Features​

Architecture​

Components​

1. Capture Engine​

2. Flow Table​

3. TCP Performance Tracking​

4. IPFIX Exporter​

Configuration​

config.yaml​

Command Line Options​