Skip to main content
SpringerLink
Log in

A high-performance and scalable multi-core aware software solution for network monitoring

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

In recent years, the need for high-performance network monitoring tools, which can cope with rapidly increasing network bandwidth, has become vital. A possible solution is to utilize the processing power of multi-core processors that nowadays are available as commercial-off-the-shelf (COTS) hardware. In this paper, we introduce a software solution for wire-speed packet capturing and transmission for TCP/IP networks under Linux operating system, called DashCap. The results of our experimental evaluations show that the proposed solution causes more than two times performance boost for packet capturing in comparison to the existing software solutions under Linux. We have proposed a scalable software architecture for network monitoring tools called DashNMon, which is based on DashCap. Multi-core awareness is a distinguished property of this architecture. Comparing to the existing cluster-based solutions, DashNMon can be used with COTS multi-core processors. In order to evaluate the proposed solutions, we have developed several prototype tools. The results of the experiments carried out using these tools show the scalability and high performance of the network monitoring tools that are based on the proposed architecture. Using the proposed architecture, it is possible to design and implement high-performance multi-threaded network intrusion detection systems (NIDSs) or application-layer firewalls, completely in the user space and with better utilization of the computational resources of multi-processor/multi-core systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Paxson V, Sommer R, Weaver N (2007) An architecture for exploiting multi-core processors to parallelize network intrusion prevention. In: Proceedings of the 2007 IEEE Sarnoff symposium, Nassau Inn, Princeton, NJ, pp 1–7

  2. Haagdorens B, Vermeiren T, Goossens M (2004) Improving the performance of signature-based network intrusion detection sensors by multi-threading. In: Proceedings of the 5th international workshop on information security applications, Jeju Island, Korea, vol 3325, pp 188–203

  3. Kruegel C et al (2002) Stateful intrusion detection for high-speed networks. In: Proceedings of the 2002 IEEE symposium on security and privacy, Oakland, California, pp 285–264

  4. Xinidis K et al (2005) Design and implementation of a high-performance network intrusion prevention system. In: Proceedings of the 20th international information security conference, Chiba, Japan, vol 181, pp 1571–5736

  5. Colajanni M, Marchetti M (2006) A parallel architecture for stateful intrusion detection in high traffic networks. In: Proceedings of the IEEE/IST workshop on monitoring, attack detection and mitigation, Tuebingen, Germany

  6. Wu Y, Yun X (2005) A high-performance network monitoring platform for intrusion detection. In: Proceedings of the 2005 international conference on information networking convergence in broadband and mobile networking, Jeju Island, Korea. LNCS, vol 3391, pp 52–61

  7. Degioanni L, Varenni G (2004) Introducing scalability in network measurement: toward 10 gbps with commodity hardware. In: Proceedings of the 2004 Internet measurement conference, Taormina, Sicily, Italy

  8. Deri L, Fusco F Exploiting commodity multicore systems for network traffic analysis. Unpublished. http://luca.ntop.org/MulticorePacketCapture.pdf

  9. Dashtbozorgi M, Abdollahi Azgomi M (2009) A high-performance software solution for packet capturing and transmission. In: Proceedings of the 2nd IEEE international conference on computer science and information technology (ICCSIT’09), Aug. 8–11, Beijing, China. IEEE CS Press, Los Alamitos, pp 407–411

    Chapter  Google Scholar 

  10. Dashtbozorgi M, Abdollahi Azgomi M (2009) A scalable multi-core aware software architecture for high-performance network monitoring. In: Proceedings of the 2nd international conference on security of information and networks (SIN’09), Salamis Bay Conti Resort Hotel, Gazimagusa, North Cyprus, October 6–10. ACM Press, New York, pp 117–122

    Google Scholar 

  11. Salim JH, Olsson R, Kuznetsov A (2001) Beyond Softnet. In: Proceedings of the 5th usenix annual technical conference, Boston, Massachusetts

  12. Biswas A, Sinha P (2005) A high-performance packet capturing support for alarm management systems. In: Proceedings of the 17th international conference on parallel and distributed computing and systems (PDCS), Phoenix

  13. napi. http://www.linuxfoundation.org/collaborate/workgroups/networking/napi

  14. Mogul J, Ramakrisnan K (1997) Eliminating receive livelock in an interrupt-driven kernel. ACM Trans Syst 15(3):217–252

    Article  Google Scholar 

  15. Deri L (2004) Improving passive packet capture: Beyond device polling. In: Proceedings of the 4th international system administration and network engineering conference, Amsterdam, The Netherlands

  16. PF_RING. http://www.ntop.org/PF_RING.html

  17. Wood P libpcap-mmap. Los Alamos National Labs. http://public.lanl.gov/cpw/

  18. Deri L (2005) nCap: Wire-speed packet capturing and transmission. In: Proceedings of the IEEE/IFIP workshop on end-to-end monitoring techniques and services, Nice-Acropolis, Nice, France

  19. Deri L (2007) High-speed dynamic packet filtering. J Netw Syst Manag 15(3)

  20. Biswas A (2005) A high-performance real-time packet capturing architecture for network management systems. Master Thesis, Concordia University, Montreal

  21. Roesch M (1999) Snort: Lightweight intrusion detection for networks. In: Proceedings of the 2nd USENIX symposium on internet technologies and systems, Boulder, Colorado, November 1999

  22. Paxson V (1998) Bro: A system for detecting network intruders in real-time. In: Proceedings of the 7th USENIX security symposium, San Antonio, Texas

  23. Biswas A, Sinha P (2006) On improving performance of network intrusion detection systems by efficient packet capturing. In: Proceedings of the 10th IEEE/IFIP network operations and management symposium, Vancouver

  24. Weaver N, Paxson V, Gonzalez JM (2007) The Shunt: An FPGA-based accelerator for network intrusion prevention. In: Proceedings of the 15th international ACM/SIGDA symposium on field programmable gate arrays, Monterey, California

  25. Lawrence Berkeley National Labs libpcap, Network Research Group. http://www.tcpdump.org/

  26. McCanne S, Jacobson V (1993) The BSD packet filter: A new architecture for user-level packet capture. In: Proceedings of the 1993 usenix technical conference, San Diego, CA, USA, pp 259–269

  27. Tcpdump, a network sniffer. http://www.tcpdump.org/

  28. Grossman L (2005) Large receive offload implementation in Neterion 10 GbE ethernet driver. In: Proceedings of the Linux symposium, Ottawa, Ontario, Canada, vol 1, pp 195–200

  29. Srinivasan V et al (1998) Fast and scalable layer four switching. In: ACM Sigcomm

  30. Aho AV, Corasick MJ (1975) Efficient string matching: An aid to bibliographic search. Commun ACM 18:333–340

    Article  MATH  MathSciNet  Google Scholar 

  31. Varenni G et al (2003) Optimizing packet capture on symmetric multiprocessing machines. In: Proceedings of the 15th symposium on computer architecture and high-performance computing, São Paulo, Brazil, pp 108–115

  32. Dreger H et al (2006) Dynamic application-layer protocol analysis for network intrusion detection. In: Proceedings of the 15th conference on USENIX security symposium, Vancouver, BC, Canada, vol 15, no 18

  33. The Internet Corporation for Assigned Names and Numbers. http://www.iana.org

  34. Early J, Brodley C, Rosenberg C (2003) Behavioral authentication of server flows. In: Proceedings of the 19th annual computer security applications conference, Las Vegas, NV, USA, pp 46–55

  35. Moore A, Zuev D (2005) Internet traffic classification using Bayesian analysis techniques. In: Proceedings of the ACM SIGMETRICS international conference on measurement and modeling of computer systems, Banff, Alberta, Canada, pp 50–60

  36. Heinz T (2004) HiPAC: High-performance packet classification for netfilter. Bachelor Thesis, Saarland University, Saarland, Germany

  37. Kumar S et al (2006) Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings of the conference on applications, technologies, architectures, and protocols for computer communications, Pisa, Italy, pp 339–350

  38. Jianming Y, Yibo X, Jun L (2006) Memory efficient string matching algorithm for network intrusion management system. In: Proceedings of the global telecommunications conference, San Francisco, California, USA, pp 1–5

  39. Olsson R (2005) Pktgen the Linux packet generator. In: Proceedings of the Linux symposium, Ottawa, Canada, vol 2, pp 11–24

  40. Drepper U, Molnar I (2003) The native posix thread library for Linux. Technical Report, Redhat Inc

Download references

Author information

Authors and Affiliations

  1. School of Computer Engineering, Iran University of Science and Technology, Hengam St., Resalat Sq., Tehran, 16846-13114, Iran

    Mahdi Dashtbozorgi & Mohammad Abdollahi Azgomi

Authors
  1. Mahdi Dashtbozorgi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammad Abdollahi Azgomi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammad Abdollahi Azgomi.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Dashtbozorgi, M., Abdollahi Azgomi, M. A high-performance and scalable multi-core aware software solution for network monitoring. J Supercomput 59, 720–743 (2012). https://doi.org/10.1007/s11227-010-0469-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-010-0469-0

Keywords

Search

Navigation