The wide availability of cheap and effective commodity PC hardware has driven the development of versatile traffic monitoring software such as protocol analyzers, traffic characterizers and intrusion detection systems. Most of them are designed to run on general purpose architectures and are based on the well-known libpcap API, which has rapidly become a de facto standard. Although many improvements have been applied to packet capturing software, it still suffers from several performance flaws, mainly due to the underlying hardware bottlenecks. To overcome these issues, this paper proposes a system architecture, which combines the high performance of a Network Processor card with the flexibility of software-based solutions. It allows for removing most part of the hardware limitations exhibited by a purely PC-based architecture, while preserving the full compliance to any software applications based on libpcap. In addition, the proposed system enables the use of monitoring applications at the wire speed, with the possibility of on-the-fly data processing. The system performance has been thoroughly assessed: the results show that it clearly outperforms the previous PC-based solutions in terms of packet capturing power, while the timestamping accuracy is as good as that achieved by DAG cards.
A Network processor-based architecture for multi-gigabit traffic analysis
GIORDANO, STEFANO;OPPEDISANO, FRANCESCO;PROCISSI, GREGORIO;VITUCCI, FABIO
2009-01-01
Abstract
The wide availability of cheap and effective commodity PC hardware has driven the development of versatile traffic monitoring software such as protocol analyzers, traffic characterizers and intrusion detection systems. Most of them are designed to run on general purpose architectures and are based on the well-known libpcap API, which has rapidly become a de facto standard. Although many improvements have been applied to packet capturing software, it still suffers from several performance flaws, mainly due to the underlying hardware bottlenecks. To overcome these issues, this paper proposes a system architecture, which combines the high performance of a Network Processor card with the flexibility of software-based solutions. It allows for removing most part of the hardware limitations exhibited by a purely PC-based architecture, while preserving the full compliance to any software applications based on libpcap. In addition, the proposed system enables the use of monitoring applications at the wire speed, with the possibility of on-the-fly data processing. The system performance has been thoroughly assessed: the results show that it clearly outperforms the previous PC-based solutions in terms of packet capturing power, while the timestamping accuracy is as good as that achieved by DAG cards.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
