~~NOTOC~~
~~NOCACHE~~

<jumbotron color="#ffffff">
<background>{{:pandda_title.jpg}}</background>
{{:pandda_logo.png?400}}

**PAssive Network Device Discovery and Analysis**

<btn size="lg">[[:en:get_started|🔗 Get Started!]]</btn>

</jumbotron>

<jumbotron>
===== 👀 Network monitoring =====

Network monitoring plays a crucial role in network management by enabling the analysis, control, and optimization of data traffic. It allows administrators to detect anomalies, enhance security, and ensure efficient resource utilization. In PANDDA, we leverage IP flow-based network monitoring, utilizing the flexibility of the IPFIX flow format to enrich flow data extensively. This approach allows us to strike an optimal balance between flow-based and packet-based monitoring, maximizing visibility and analytical capabilities. 

==== Network probe ====
PANDDA uses [[https://github.com/CESNET/ipfixprobe|ipfixprobe]] flow exporter with broad support of different network interfaces. Within the PANDDA project, we mainly support these two interfaces:
  * **AF_PACKET** --- A raw socket interface that is suitable for slower monitoring interfaces up to 1Gbps.
  * **DPDK** --- Interface suitable for high-speed network monitoring. DPDK input can monitor lines reaching up to 400Gbps. To use the DPDK interface, you need a DPDK-compatible card. More information can be found bellow.
\\

=== Data Plane Development Kit (DPDK) ===
DPDK is a high-performance framework designed to accelerate packet processing by bypassing the traditional Linux kernel networking stack and leveraging user-space drivers. It enables applications to achieve low latency and high throughput by utilizing poll mode drivers (PMDs), hugepages, and CPU core pinning to process packets directly in user space. DPDK is the de facto standard in high-speed network monitoring and line-rate packet processing.

The DPDK is relatively complex to set up. Fortunately, PANDDA will autodetect your server hardware and suggest optimal DPDK settings. Nevertheless, still the DPDK might cause some problems that might be undetected by PANDDA resulting in suboptimal flow monitoring. Thus, we suggest to check the following:

  * You are using one of the recommended network cards on the [[en:recommended_hw|recommended HW]] page.
  * Your card is connected to the PCIE x16 slot.
  * Check various statistics in ''/var/stats/ipfixprobe''. You should focus on the number of packets processed by each input thread.
</jumbotron>