Results 1 - 10
of
32
speed network traffic analysis with commodity multi-core systems
- In Proceedings of the 10th annual conference on Internet measurement (2010), IMC ’10, ACM
"... ntop ..."
(Show Context)
Feldmann,“Packet capture in 10-gigabit ethernet environments using contemporary commodity hardware.,”in PAM
, 2007
"... Abstract. Tracing traffic using commodity hardware in contemporary highspeed access or aggregation networks such as 10-Gigabit Ethernet is an increasingly common yet challenging task. In this paper we investigate if today’s commodity hardware and software is in principle able to capture traffic from ..."
Abstract
-
Cited by 18 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Tracing traffic using commodity hardware in contemporary highspeed access or aggregation networks such as 10-Gigabit Ethernet is an increasingly common yet challenging task. In this paper we investigate if today’s commodity hardware and software is in principle able to capture traffic from a fully loaded Ethernet. We find that this is only possible for data rates up to 1 Gigabit/s without reverting to using special hardware due to, e. g., limitations with the current PC buses. Therefore, we propose a novel way for monitoring higher speed interfaces (e. g., 10-Gigabit) by distributing their traffic across a set of lower speed interfaces (e. g., 1-Gigabit). This opens the next question: which system configuration is capable of monitoring one such 1-Gigabit/s interface? To answer this question we present a methodology for evaluating the performance impact of different system components including different CPU architectures and different operating system. Our results indicate that the combination of AMD Opteron with FreeBSD outperforms all others, independently of running in single- or multi-processor mode. Moreover, the impact of packet filtering, running multiple capturing applications, adding per packet analysis load, saving the captured packets to disk, and using 64-bit OSes is investigated.
Comparing and Improving Current Packet Capturing Solutions based on Commodity Hardware
- in Proceedings of the 10th Annual Conference on Internet Measurement (IMC ’10
, 2010
"... Capturing network traffic with commodity hardware has become a feasible task: Advances in hardware as well as software have boosted off-the-shelf hardware to performance levels that some years ago were the domain of expensive specialpurpose hardware. However, the capturing hardware still needs to be ..."
Abstract
-
Cited by 15 (3 self)
- Add to MetaCart
(Show Context)
Capturing network traffic with commodity hardware has become a feasible task: Advances in hardware as well as software have boosted off-the-shelf hardware to performance levels that some years ago were the domain of expensive specialpurpose hardware. However, the capturing hardware still needs to be driven by a well-performing software stack in order to minimise or avoid packet loss. Improving the capturing stack of Linux and FreeBSD has been an extensively covered research topic in the past years. Although the majority of the proposed enhancements have been backed by evaluations, these have mostly been conducted on different hardware platforms and software versions, which renders a comparative assessment of the various approaches difficult, if not impossible. This paper summarises and evaluates the performance of current packet capturing solutions based on commodity hardware. We identify bottlenecks and pitfalls within the capturing stack of FreeBSD and Linux, and give explanations for the observed effects. Based on our experiments, we provide guidelines for users on how to configure their capturing systems for optimal performance and we also give hints on debugging bad performance. Furthermore, we propose improvements to the operating system’s capturing processes that reduce packet loss, and evaluate their impact on capturing performance.
High-Speed Dynamic Packet Filtering
"... ntop.org One problem encountered while monitoring gigabit networks, is the need to filter only those packets that are interesting for a given task while ignoring the others. Popular packet filtering technologies enable users to specify complex filters but do not usually allow multiple filters to be ..."
Abstract
-
Cited by 11 (2 self)
- Add to MetaCart
(Show Context)
ntop.org One problem encountered while monitoring gigabit networks, is the need to filter only those packets that are interesting for a given task while ignoring the others. Popular packet filtering technologies enable users to specify complex filters but do not usually allow multiple filters to be specified. This paper describes the design and implementation of a new dynamic packet filtering solution that allows users to specify several IP filters simultaneously with almost no packet loss even on high-loaded gigabit links. The advantage is that modern traffic monitoring applications such as P2P, IPTV, VoIP monitoring, and lawful interception can dynamically set packet filters to efficiently discard packets into the operating system kernel according to traffic, calls and users being monitored.
DiMAPI: An application programming interface for distributed network monitoring
- In Proceedings of the 10 th IEEE/IFIP Network Operations and Management Symposium (NOMS
, 2006
"... Abstract — Network monitoring and measurement is commonly regarded as an essential function for understanding, managing and improving the performance and security of network infrastructures. Traditional passive network monitoring approaches are not adequate for fine-grained performance measurements ..."
Abstract
-
Cited by 9 (6 self)
- Add to MetaCart
(Show Context)
Abstract — Network monitoring and measurement is commonly regarded as an essential function for understanding, managing and improving the performance and security of network infrastructures. Traditional passive network monitoring approaches are not adequate for fine-grained performance measurements nor for security applications. In addition, many applications would benefit from monitoring data gathered at multiple vantage points within a network infrastructure. This paper presents the design and implementation of DiMAPI, an application programming interface for distributed passive network monitoring. DiMAPI extends the notion of the network flow with the scope attribute, which enables flow creation and manipulation over a set of local and remote monitoring sensors. Experiments with a number of applications on top of DiMAPI show that it has reasonable performance, while the response latency is very close to the actual round trip time between the monitoring application and the monitoring sensors. A broad range of monitoring applications can benefit from DiMAPI to efficiently perform advanced monitoring tasks over a potentially large number of passive monitoring sensors. I.
Exploiting Commodity Multicore Systems for Network Traffic Analysis,” July 2009. [Online]. Available: http://ethereal.ntop.org/MulticorePacketCapture.pdf
"... The current trend in computer processors is towards multi-core systems. Although operating systems were adapted a long time ago to support multi-processing, kernel network layers have not yet taken advantage of this new technology. The result is that packet capture, the cornerstone of every network ..."
Abstract
-
Cited by 8 (2 self)
- Add to MetaCart
(Show Context)
The current trend in computer processors is towards multi-core systems. Although operating systems were adapted a long time ago to support multi-processing, kernel network layers have not yet taken advantage of this new technology. The result is that packet capture, the cornerstone of every network monitoring application, is not efficient on modern systems and its performance gets worse with an increasing number of cores. This paper describes common pitfalls of network monitoring applications when used with multi-core systems, and presents solutions to these problems. In addition, it covers the design and implementation of a new multi-core aware packet capture kernel module that enables monitoring applications to scale with the number of cores, contrary to what happens in most operating systems.
Wire-speed hardware-assisted traffic filtering with mainstream network adapters
- In NEMA ’10: Proceedings of the First International Workshop on Network Embedded Management and Applications
, 2010
"... Abstract. Modern computer architectures are founded on multi-core processors. In order to efficiently process network traffic, it is necessary to dynamically split high-speed packet streams across cores based on the monitoring goal. Most network adapters are multi-core aware but offer limited facili ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Modern computer architectures are founded on multi-core processors. In order to efficiently process network traffic, it is necessary to dynamically split high-speed packet streams across cores based on the monitoring goal. Most network adapters are multi-core aware but offer limited facilities for assigning packets to processor cores. In this paper we introduce a hybrid traffic analysis framework that leverages flexible packet balancing mechanisms available on recent 10 Gbit commodity network adapters not yet exploited by operating systems. The main contribution of this paper is an open source hardware-assisted software layer for dynamically configuring packet balancing policies in order to fully exploit multi-core systems and enable 10 Gbit wire-speed network traffic analysis.
Improving the Performance of Passive Network Monitoring Applications using Locality Buffering
"... Abstract—In this paper, we present a novel approach for improving the performance of a large class of CPU and memory intensive passive network monitoring applications, such as intrusion detection systems, traffic characterization applications, and NetFlow export probes. Our approach, called locality ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
(Show Context)
Abstract—In this paper, we present a novel approach for improving the performance of a large class of CPU and memory intensive passive network monitoring applications, such as intrusion detection systems, traffic characterization applications, and NetFlow export probes. Our approach, called locality buffering, reorders the captured packets by clustering packets with the same destination port, before they are delivered to the monitoring application, resulting to improved code and data locality, and consequently to an overall increase in the packet processing throughput and to a decrease in the packet loss rate. We have implemented locality buffering within the widely used libpcap packet capturing library, which allows existing monitoring applications to transparently benefit from the reordered packet stream without the need to change application code. Our experimental evaluation shows that locality buffering improves significantly the performance of popular applications, such as the Snort IDS, which exhibits a 40 % increase in the packet processing throughput and a 60 % improvement in packet loss rate. I.
Frame Shared Memory: Line-Rate Networking on Commodity Hardware
- ANCS '07
, 2007
"... Network processors provide an economical programmable platform to handle the high throughput and frame rates of modern and next-generation communication systems. However, these platforms have exchanged general-purpose capabilities for performance. This paper presents an alternative; a software netwo ..."
Abstract
-
Cited by 6 (1 self)
- Add to MetaCart
(Show Context)
Network processors provide an economical programmable platform to handle the high throughput and frame rates of modern and next-generation communication systems. However, these platforms have exchanged general-purpose capabilities for performance. This paper presents an alternative; a software network processor (Soft-NP) framework using commodity generalpurpose platforms capable of high-rate and throughput sequential frame processing compatible with high-level languages and general-purpose operating systems. A cacheoptimized concurrent lock free queue provides the necessary low-overhead core-to-core communication for sustained sequential frame processing beyond the realized 1.41 million frames per second (Gigabit Ethernet) while permitting perframe processing time expansion with pipeline parallelism.
vPFRING: Towards WireSpeed Network Monitoring using Virtual Machines
- In Proceedings of ACM Internet Measurement Conference
, 2011
"... The demand of highly flexible and easy to deploy network monitoring systems has pushed companies toward software based network monitoring probes implemented with commodity hardware rather than with expensive and highly specialized network devices. Deploying software probes under virtual machines exe ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
The demand of highly flexible and easy to deploy network monitoring systems has pushed companies toward software based network monitoring probes implemented with commodity hardware rather than with expensive and highly specialized network devices. Deploying software probes under virtual machines executed on the same physical box is attractive for reducing deployment costs and for simplifying the management of advanced network monitoring architectures built on top of heterogeneous monitoring tools (i.e. Intrusion Detection Systems and Performance Monitoring Systems). Unfortunately, software probes are usually not able to meet the performance requirements when deployed in virtualized environments as virtualization introduces severe performance bottlenecks when performing packet capture, which is the core activity of passive network monitoring systems. This paper covers the design and implementation of vPF_RING, a novel framework for efficiently capturing packets on virtual machines running on commodity hardware. This solution allows network administrators to exploit the benefits of virtualization such as reduced costs and centralized administration, while preserving the ability to capture packets at wire speed even when deploying applications in virtual machines. The validation process has demonstrated that this solution can be profitably used for multi-gigabit network monitoring, paving the way to low-cost virtualized monitoring systems.
