Eliminating receive livelock in an interrupt-driven kernel
ACM Transactions on Computer Systems (TOCS)
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
nCap: wire-speed packet capture and transmission
E2EMON '05 Proceedings of the End-to-End Monitoring Techniques and Services on 2005. Workshop
ALS '01 Proceedings of the 5th annual Linux Showcase & Conference - Volume 5
Predicting the Resource Consumption of Network Intrusion Detection Systems
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Robust network monitoring in the presence of non-cooperative traffic queries
Computer Networks: The International Journal of Computer and Telecommunications Networking
Characterizing user-level network virtualization: performance, overheads and limits
International Journal of Network Management
Comparing and improving current packet capturing solutions based on commodity hardware
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Enabling high-performance internet-wide measurements on windows
PAM'10 Proceedings of the 11th international conference on Passive and active measurement
High-speed, in-band performance measurement instrumentation for next generation IP networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
HostView: annotating end-host performance measurements with user feedback
ACM SIGMETRICS Performance Evaluation Review
On campus beta site: architecture designs, operational experience, and top product defects
IEEE Communications Magazine
State of the Practice Reports
Deep packet inspection tools and techniques in commodity platforms: Challenges and trends
Journal of Network and Computer Applications
| Hi-index | 0.00 |
Tracing traffic using commodity hardware in contemporary high-speed access or aggregation networks such as 10-Gigabit Ethernet is an increasingly common yet challenging task. In this paper we investigate if today's commodity hardware and software is in principle able to capture traffic from a fully loaded Ethernet. We find that this is only possible for data rates up to 1 Gigabit/s without reverting to using special hardware due to, e. g., limitations with the current PC buses. Therefore, we propose a novel way for monitoring higher speed interfaces (e.g., 10-Gigabit) by distributing their traffic across a set of lower speed interfaces (e.g., 1-Gigabit). This opens the next question: which system configuration is capable of monitoring one such 1-Gigabit/s interface? To answer this question we present a methodology for evaluating the performance impact of different system components including different CPU architectures and different operating system. Our results indicate that the combination of AMD Opteron with FreeBSD outperforms all others, independently of running in single- or multi-processor mode. Moreover, the impact of packet filtering, running multiple capturing applications, adding per packet analysis load, saving the captured packets to disk, and using 64-bit OSes is investigated.