Abstract
Tracing traffic using commodity hardware in contemporary high- speed access or aggregation networks such as 10-Gigabit Ethernet is an increasingly common yet challenging task. In this paper we investigate if today’s commodity hardware and software is in principle able to capture traffic from a fully loaded Ethernet. We find that this is only possible for data rates up to 1 Gigabit/s without reverting to using special hardware due to, e. g., limitations with the current PC buses. Therefore, we propose a novel way for monitoring higher speed interfaces (e. g., 10-Gigabit) by distributing their traffic across a set of lower speed interfaces (e. g., 1-Gigabit).
This opens the next question: which system configuration is capable of monitoring one such 1-Gigabit/s interface? To answer this question we present a methodology for evaluating the performance impact of different system components including different CPU architectures and different operating system. Our results indicate that the combination of AMD Opteron with FreeBSD outperforms all others, independently of running in single- or multi-processor mode. Moreover, the impact of packet filtering, running multiple capturing applications, adding per packet analysis load, saving the captured packets to disk, and using 64-bit OSes is investigated.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
The Munich Scientific Network. http://www.lrz-muenchen.de/wir/intro/en/#mwn
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)
Endace Measurement systems: http://www.endace.com
Mogul, J.C., Ramakrishnan, K.K.: Eliminating receive livelock in an interrupt-driven kernel. ACM Transactions on Computer Systems 15(3), 217–252 (1997)
Jacobson, V., Leres, C., McCanne, S.: libpcap and tcpdump. http://www.tcpdump.org
Wood, P.: libpcap MMAP mode on linux. http://public.lanl.gov/cpw/
Deri, L.: Improving passive packet capture: Beyond device polling. In: Proc. of the 4th Int. System Administration and Network Engineering Conference (SANE’2004) (2004)
Deri, L.: nCap: Wire-speed packet capture and transmission. In: Proc. of the IEEE/IFIP Workshop on End-to-End Monitoring Techniques and Services (IM 2005, E2EMON), IEEE, Los Alamitos (2005)
Snort. http://www.snort.org/
Salim, H.D., Olsson, R., Kuznetsov, A.: Beyond softnet. In: Proc. of the 5th Annual Linux Showcase & Conference (2001)
Rizzo, L.: Device Polling support for FreeBSD. In: Proc. of the EuroBSDCon’ 01 (2001)
Schneider, F.: Performance Evaluation of Packet Capturing Systems for High-Speed Networks Diploma thesis, Technische Universität München (2005), for cpusage and the capturing application see, http://www.net.in.tum.de/~schneifa/proj_en.html
Olsson, R.: Linux kernel packet generator
Hints for improving Packet Capture System performance: http://www.net.t-labs.tu-berlin.de/research/bpcs/
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Schneider, F., Wallerich, J., Feldmann, A. (2007). Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds) Passive and Active Network Measurement. PAM 2007. Lecture Notes in Computer Science, vol 4427. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71617-4_21
Download citation
DOI: https://doi.org/10.1007/978-3-540-71617-4_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-71616-7
Online ISBN: 978-3-540-71617-4
eBook Packages: Computer ScienceComputer Science (R0)