Abstract
In recent years, the need for high-performance network monitoring tools, which can cope with rapidly increasing network bandwidth, has become vital. A possible solution is to utilize the processing power of multi-core processors that nowadays are available as commercial-off-the-shelf (COTS) hardware. In this paper, we introduce a software solution for wire-speed packet capturing and transmission for TCP/IP networks under Linux operating system, called DashCap. The results of our experimental evaluations show that the proposed solution causes more than two times performance boost for packet capturing in comparison to the existing software solutions under Linux. We have proposed a scalable software architecture for network monitoring tools called DashNMon, which is based on DashCap. Multi-core awareness is a distinguished property of this architecture. Comparing to the existing cluster-based solutions, DashNMon can be used with COTS multi-core processors. In order to evaluate the proposed solutions, we have developed several prototype tools. The results of the experiments carried out using these tools show the scalability and high performance of the network monitoring tools that are based on the proposed architecture. Using the proposed architecture, it is possible to design and implement high-performance multi-threaded network intrusion detection systems (NIDSs) or application-layer firewalls, completely in the user space and with better utilization of the computational resources of multi-processor/multi-core systems.
Similar content being viewed by others
References
Paxson V, Sommer R, Weaver N (2007) An architecture for exploiting multi-core processors to parallelize network intrusion prevention. In: Proceedings of the 2007 IEEE Sarnoff symposium, Nassau Inn, Princeton, NJ, pp 1–7
Haagdorens B, Vermeiren T, Goossens M (2004) Improving the performance of signature-based network intrusion detection sensors by multi-threading. In: Proceedings of the 5th international workshop on information security applications, Jeju Island, Korea, vol 3325, pp 188–203
Kruegel C et al (2002) Stateful intrusion detection for high-speed networks. In: Proceedings of the 2002 IEEE symposium on security and privacy, Oakland, California, pp 285–264
Xinidis K et al (2005) Design and implementation of a high-performance network intrusion prevention system. In: Proceedings of the 20th international information security conference, Chiba, Japan, vol 181, pp 1571–5736
Colajanni M, Marchetti M (2006) A parallel architecture for stateful intrusion detection in high traffic networks. In: Proceedings of the IEEE/IST workshop on monitoring, attack detection and mitigation, Tuebingen, Germany
Wu Y, Yun X (2005) A high-performance network monitoring platform for intrusion detection. In: Proceedings of the 2005 international conference on information networking convergence in broadband and mobile networking, Jeju Island, Korea. LNCS, vol 3391, pp 52–61
Degioanni L, Varenni G (2004) Introducing scalability in network measurement: toward 10 gbps with commodity hardware. In: Proceedings of the 2004 Internet measurement conference, Taormina, Sicily, Italy
Deri L, Fusco F Exploiting commodity multicore systems for network traffic analysis. Unpublished. http://luca.ntop.org/MulticorePacketCapture.pdf
Dashtbozorgi M, Abdollahi Azgomi M (2009) A high-performance software solution for packet capturing and transmission. In: Proceedings of the 2nd IEEE international conference on computer science and information technology (ICCSIT’09), Aug. 8–11, Beijing, China. IEEE CS Press, Los Alamitos, pp 407–411
Dashtbozorgi M, Abdollahi Azgomi M (2009) A scalable multi-core aware software architecture for high-performance network monitoring. In: Proceedings of the 2nd international conference on security of information and networks (SIN’09), Salamis Bay Conti Resort Hotel, Gazimagusa, North Cyprus, October 6–10. ACM Press, New York, pp 117–122
Salim JH, Olsson R, Kuznetsov A (2001) Beyond Softnet. In: Proceedings of the 5th usenix annual technical conference, Boston, Massachusetts
Biswas A, Sinha P (2005) A high-performance packet capturing support for alarm management systems. In: Proceedings of the 17th international conference on parallel and distributed computing and systems (PDCS), Phoenix
napi. http://www.linuxfoundation.org/collaborate/workgroups/networking/napi
Mogul J, Ramakrisnan K (1997) Eliminating receive livelock in an interrupt-driven kernel. ACM Trans Syst 15(3):217–252
Deri L (2004) Improving passive packet capture: Beyond device polling. In: Proceedings of the 4th international system administration and network engineering conference, Amsterdam, The Netherlands
PF_RING. http://www.ntop.org/PF_RING.html
Wood P libpcap-mmap. Los Alamos National Labs. http://public.lanl.gov/cpw/
Deri L (2005) nCap: Wire-speed packet capturing and transmission. In: Proceedings of the IEEE/IFIP workshop on end-to-end monitoring techniques and services, Nice-Acropolis, Nice, France
Deri L (2007) High-speed dynamic packet filtering. J Netw Syst Manag 15(3)
Biswas A (2005) A high-performance real-time packet capturing architecture for network management systems. Master Thesis, Concordia University, Montreal
Roesch M (1999) Snort: Lightweight intrusion detection for networks. In: Proceedings of the 2nd USENIX symposium on internet technologies and systems, Boulder, Colorado, November 1999
Paxson V (1998) Bro: A system for detecting network intruders in real-time. In: Proceedings of the 7th USENIX security symposium, San Antonio, Texas
Biswas A, Sinha P (2006) On improving performance of network intrusion detection systems by efficient packet capturing. In: Proceedings of the 10th IEEE/IFIP network operations and management symposium, Vancouver
Weaver N, Paxson V, Gonzalez JM (2007) The Shunt: An FPGA-based accelerator for network intrusion prevention. In: Proceedings of the 15th international ACM/SIGDA symposium on field programmable gate arrays, Monterey, California
Lawrence Berkeley National Labs libpcap, Network Research Group. http://www.tcpdump.org/
McCanne S, Jacobson V (1993) The BSD packet filter: A new architecture for user-level packet capture. In: Proceedings of the 1993 usenix technical conference, San Diego, CA, USA, pp 259–269
Tcpdump, a network sniffer. http://www.tcpdump.org/
Grossman L (2005) Large receive offload implementation in Neterion 10 GbE ethernet driver. In: Proceedings of the Linux symposium, Ottawa, Ontario, Canada, vol 1, pp 195–200
Srinivasan V et al (1998) Fast and scalable layer four switching. In: ACM Sigcomm
Aho AV, Corasick MJ (1975) Efficient string matching: An aid to bibliographic search. Commun ACM 18:333–340
Varenni G et al (2003) Optimizing packet capture on symmetric multiprocessing machines. In: Proceedings of the 15th symposium on computer architecture and high-performance computing, São Paulo, Brazil, pp 108–115
Dreger H et al (2006) Dynamic application-layer protocol analysis for network intrusion detection. In: Proceedings of the 15th conference on USENIX security symposium, Vancouver, BC, Canada, vol 15, no 18
The Internet Corporation for Assigned Names and Numbers. http://www.iana.org
Early J, Brodley C, Rosenberg C (2003) Behavioral authentication of server flows. In: Proceedings of the 19th annual computer security applications conference, Las Vegas, NV, USA, pp 46–55
Moore A, Zuev D (2005) Internet traffic classification using Bayesian analysis techniques. In: Proceedings of the ACM SIGMETRICS international conference on measurement and modeling of computer systems, Banff, Alberta, Canada, pp 50–60
Heinz T (2004) HiPAC: High-performance packet classification for netfilter. Bachelor Thesis, Saarland University, Saarland, Germany
Kumar S et al (2006) Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings of the conference on applications, technologies, architectures, and protocols for computer communications, Pisa, Italy, pp 339–350
Jianming Y, Yibo X, Jun L (2006) Memory efficient string matching algorithm for network intrusion management system. In: Proceedings of the global telecommunications conference, San Francisco, California, USA, pp 1–5
Olsson R (2005) Pktgen the Linux packet generator. In: Proceedings of the Linux symposium, Ottawa, Canada, vol 2, pp 11–24
Drepper U, Molnar I (2003) The native posix thread library for Linux. Technical Report, Redhat Inc
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Dashtbozorgi, M., Abdollahi Azgomi, M. A high-performance and scalable multi-core aware software solution for network monitoring. J Supercomput 59, 720–743 (2012). https://doi.org/10.1007/s11227-010-0469-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-010-0469-0