Results 1 - 10
of
17
Passively monitoring networks at gigabit speeds using commodity hardware and open source software
- In Passive and Active Measurement Workshop 2003. NLANR/MNA
, 2003
"... Abstract—Passive network monitoring is a complex activity that mainly consists in packet capturing and classification. Unfortunately this architecture often cannot be applied to gigabit networks, as the amount of data to capture is too large for the monitoring applications. This paper describes the ..."
Abstract
-
Cited by 16 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Passive network monitoring is a complex activity that mainly consists in packet capturing and classification. Unfortunately this architecture often cannot be applied to gigabit networks, as the amount of data to capture is too large for the monitoring applications. This paper describes the challenges and lessons learnt by the author while monitoring networks at gigabit speeds and above. Finally, it describes an architecture able to successfully monitor networks at high speeds using commodity hardware and open source software.
Introducing Scalability in Network Measurement: Toward 10 Gbps with Commodity Hardware
- Proceedings of IMC ’04, 2004. L. Deri, Improving Passive Packet Capture: Beyond Device Polling, Proceedings of SANE 2004
, 2004
"... The capacity of today's network links, along with the heterogeneity of their traffic, is rapidly growing, more than the workstation’s processing power. This makes the task of measuring traffic more problematic every day, especially when off-the-shelf hardware is used. A general solution adopted ..."
Abstract
-
Cited by 9 (0 self)
- Add to MetaCart
(Show Context)
The capacity of today's network links, along with the heterogeneity of their traffic, is rapidly growing, more than the workstation’s processing power. This makes the task of measuring traffic more problematic every day, especially when off-the-shelf hardware is used. A general solution adopted by the computer industry to achieve better performance is to partition the processing among different computing units, exploiting the implicit or explicit parallelism available on today workstations. Parallelism is in fact growing in two dimensions: physical and logical CPUs (e.g. HyperThreading). Unfortunately, most network measurement systems are engineered to process data in a set of sequential tasks; thus, completely ignoring any form of parallelism provided by the hardware. This paper introduces a new approach to build high performance and scalable network measurement tools. It discusses the problem of dispatching packets to different processing entities and describes a technology able to distribute the flow of incoming packets among different processors in an effective and configurable manner, that avoids any copy and optimizes resource usage.
Network Virtual Machine (NetVM): A New Architecture for Efficient and
- Portable Packet Processing Applications”, in Proc. of 8th International Conference on Telecommunications (ConTEL 2005
, 2005
"... Abstract—A challenge facing network device designers, besides increasing the speed of network gear, is improving its programmability in order to simplify the implementation of new applications (see for example, active networks, content networking, etc). This paper presents our work on designing and ..."
Abstract
-
Cited by 7 (2 self)
- Add to MetaCart
(Show Context)
Abstract—A challenge facing network device designers, besides increasing the speed of network gear, is improving its programmability in order to simplify the implementation of new applications (see for example, active networks, content networking, etc). This paper presents our work on designing and implementing a virtual network processor, called NetVM, which has an instruction set optimized for packet processing applications, i.e., for handling network traffic. Similarly to a Java Virtual Machine that virtualizes a CPU, a NetVM virtualizes a network processor. The NetVM is expected to provide a compatibility layer for networking tasks (e.g., packet filtering, packet counting, string matching) performed by various packet processing applications (firewalls, network monitors, intrusion detectors) so that they can be executed on any network device, ranging from expensive routers to small appliances (e.g. smart phones). Moreover, the NetVM will provide efficient mapping of the elementary functionalities used to realize the above mentioned networking tasks upon specific hardware functional units (e.g., ASICs, FPGAs, and network processing elements) included in special purpose hardware systems possibly deployed to implement network devices. I.
A tunnelaware language for network packet filtering
- in Proceedings of the Global Communications Conference (Globecom 2010
, 2010
"... Abstract—While in computer networks the number of possible protocol encapsulations is growing day after day, network administrators face ever increasing difficulties in selecting accurately the traffic they need to inspect. This is mainly caused by the limited number of encapsulations supported by c ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Abstract—While in computer networks the number of possible protocol encapsulations is growing day after day, network administrators face ever increasing difficulties in selecting accurately the traffic they need to inspect. This is mainly caused by the limited number of encapsulations supported by currently available tools and the difficulty to exactly specify which packets have to be analyzed, especially in presence of tunneled traffic. This paper presents a novel packet processing language that, besides Boolean filtering predicates, introduces special constructs for handling the more complex situations of tunneled and stacked encapsulations, giving the user a finer control over the semantics of a filtering expression. Even though this language is principally focused on packet filters, it is designed to support other advanced packet processing mechanisms such as traffic classification and field extraction. I.
P.: "Efficient Real-Time Linux interface for PCI Devices: A Study on Hardening a Network Intrusion Detection System
- Proc. SANE 2006, the 5th System Administration and Network Engineering Conference
, 2006
"... Traditional software network interfaces in Linux do not deliver satisfactory real-time performance. Hence alternative efficient real-time interfaces are required in network monitoring, distributed systems, real-time networking and remote data acquisition applications. Designing such a software netwo ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Traditional software network interfaces in Linux do not deliver satisfactory real-time performance. Hence alternative efficient real-time interfaces are required in network monitoring, distributed systems, real-time networking and remote data acquisition applications. Designing such a software network interface is not trivial. A PC based software network intrusion detection application is studied as an example. Poor throughput and real-time performance of traditional interfaces or their enhanced versions can cause packet skipping and other non-obvious synchronization related failures, which may make the detector ineffective. The effectiveness of the detector can be enhanced by improving its packet capturing and dispatching interface. We achieve this by using an efficient real-time software interface for a PCI Ethernet card. This paper describes the design and implementation details of this interface and its deployment for Linux based network intrusion detection sensors. The nuances of the system design for high speed packet capturing are discussed and the advantages of the proposed design are demonstrated. This mechanism outperforms existing packet capturing solutions- NAPI, PFRING and Linux kernel under heavy network load in terms of higher load bearing capacity, packet capturing capacity and superior real-time behavior.
Intelligent Network Design: User Layer Architecture and its application
- in Proc. IEEE SMC
, 2010
"... Abstract — This paper addresses building networks that emphasizes on user-centric human computer interaction and context awareness. To achieve this user-centric intelligent network goal, we propose to explicitly take the end-user into account by defining a new layer called the User Layer above the t ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
Abstract — This paper addresses building networks that emphasizes on user-centric human computer interaction and context awareness. To achieve this user-centric intelligent network goal, we propose to explicitly take the end-user into account by defining a new layer called the User Layer above the traditional application layer. By exposing some lower layer information to the end-user, the new User Layer establishes a feedback loop between the end-user and the underlying network infrastructure, empowering the end-user to control and influence network performance based on his own behavior and preferences. A cross-layer design approach using a shared database between the different lower layers is adopted. To illustrate the User Layer in action, we present an exemplary implementation of the User Layer, which can dynamically allocate network resources by leveraging on the TCP flow control mechanism. We evaluated network performance via simulation and show that such a design improves the user perceived quality of service (QoS).
MMPP-based HTTP traffic generation with multiple emulated sources
, 2004
"... In this article we propose a new tool, named Raw Packet Sender (RPS), for testing the performance of WWW servers. Our solution allows for testing with arbitrary number of source IP addresses although the tra#c originates from only one physical NIC. In order to better mimic the real life environment ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
In this article we propose a new tool, named Raw Packet Sender (RPS), for testing the performance of WWW servers. Our solution allows for testing with arbitrary number of source IP addresses although the tra#c originates from only one physical NIC. In order to better mimic the real life environment we implemented an HTTP session interarrival time generator based on Markov Modulated Poisson Process (MMPP), which can closely match auto-covariance and the marginal distribution of recorded web tra#c traces.
Design, Implementation and Validation of a generic and reconfigurable Protocol Stack Framework for mobile Terminals
, 2004
"... This paper introduces a modular and reconfigurable software framework for protocol stacks implemented in platform independent manner. Simulation tools useful for software validations are introduced and a new distributed, three-staged procedure for validation of protocol stack software is proposed. A ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
This paper introduces a modular and reconfigurable software framework for protocol stacks implemented in platform independent manner. Simulation tools useful for software validations are introduced and a new distributed, three-staged procedure for validation of protocol stack software is proposed. Assertion-based virtual prototyping (based on non-resident assertions), utilising simulation of hardware software co-systems as well as software probes containing code-resident assertions are used in the proposed validation process.
Optimizing Packet Capture on Symmetric Multiprocessing Machines
"... Traffic monitoring and analysis based on general purpose systems with high speed interfaces, such as Gigabit Ethernet and 10 Gigabit Ethernet, requires carefully designed software in order to achieve the needed performance. One approach to attain such a performance relies on deploying multiple proce ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Traffic monitoring and analysis based on general purpose systems with high speed interfaces, such as Gigabit Ethernet and 10 Gigabit Ethernet, requires carefully designed software in order to achieve the needed performance. One approach to attain such a performance relies on deploying multiple processors. This work analyses some general issues in multiprocessor systems that are particularly critical in the context of packet capture and network monitoring applications. More important, a new algorithm is proposed to coordinate multiple producers concurrently accessing a shared buffer, which is instrumental in packet capture on symmetrical multiprocessor machines. 1.
Protocol Detection Capabilities in Bro
"... Abstract Network Intrusion Detection Systems (NIDS) focus generally on 3 main detection methods; (i) signature, (ii) anomaly network traffic behaviour, and (iii) protocol analyses. The challenge in protocol analyses is to detect the correct protocol used and initiate the proper analyzing method(s). ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract Network Intrusion Detection Systems (NIDS) focus generally on 3 main detection methods; (i) signature, (ii) anomaly network traffic behaviour, and (iii) protocol analyses. The challenge in protocol analyses is to detect the correct protocol used and initiate the proper analyzing method(s). The TCP/IP suite have a standard scheme which predefines port numbers for each protocol by IANA. However, both benign and evil software are continuously getting more and more sophisticated and do not follow these predefined rules. Bro is a open source framework for network traffic analyses 1
