Abstract |
Passive network monitoring is the basis for a multitude of systems that support the robust, efficient, and secure operation of modern computer networks. Traditional passive network monitoring approaches focus either on relatively simple network traffic measurement and analysis applications, or just for gathering packet traces that are analyzed off-line. However, these approaches are not adequate to support emerging monitoring applications such as intrusion detection systems, detection of Internet worm outbreaks and accurate traffic characterization.
In addition, most of these applications would benefit from monitoring data gathered at multiple vantage points across the Internet. At the same time, the speed of modern network links increases, Internet traffic gets more complex, and applications more CPU and memory demanding due to more complex analysis operations. Thus, there is a growing demand for more efficient passive monitoring since the performance of such applications becomes a critical issue.
In this thesis we present the design, implementation and performance evaluation of DiMAPI, a flexible and expressive application programming interface for distributed passive network monitoring. A broad range of monitoring applications can benefit from DiMAPI to efficiently perform advanced monitoring tasks over a potentially large number of passive monitoring sensors.
Also, we present a novel approach for improving the performance of a large class of CPU and memory intensive passive network monitoring applications.Our approach, called locality buffering, reorders the captured packet stream, before it is delivered to the application, in a way that results to improved code and data locality, and consequently to an overall increase in the packet processing throughput and to a decrease in the packet loss rate.
We have implemented locality buffering within the widely used libpcap packet capturing library, which allows existing monitoring applications to transparently benefit from the reordered packet stream without the need to change application code. Our experimental evaluation shows that locality buffering improves significantly the
performance of popular applications.
|