Improving the performance of passive network monitoring applications with memory locality enhancements

Authors:
Antonis Papadogiannakis;Giorgos Vasiliadis;Demetres Antoniades;Michalis Polychronakis;Evangelos P. Markatos
Affiliations:
Institute of Computer Science, Foundation for Research and Technology - Hellas, P.O. Box 1385, Heraklion, GR-711-10, Greece;Institute of Computer Science, Foundation for Research and Technology - Hellas, P.O. Box 1385, Heraklion, GR-711-10, Greece;Institute of Computer Science, Foundation for Research and Technology - Hellas, P.O. Box 1385, Heraklion, GR-711-10, Greece;Computer Science Department, Columbia University, New York, USA;Institute of Computer Science, Foundation for Research and Technology - Hellas, P.O. Box 1385, Heraklion, GR-711-10, Greece
Venue:
Computer Communications
Year:
2012

Citing 18
Cited 2

Eliminating receive livelock in an interrupt-driven kernel

ACM Transactions on Computer Systems (TOCS)
Efficient string matching: an aid to bibliographic search

Communications of the ACM
Kernel korner: Inside the Linux packet filter

Linux Journal
Web-conscious storage management for web proxies

IEEE/ACM Transactions on Networking (TON)
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Performance evaluation of packet capturing systems for high-speed networks

CoNEXT '05 Proceedings of the 2005 ACM conference on Emerging network experiment and technology
An Active Splitter Architecture for Intrusion Detection and Prevention

IEEE Transactions on Dependable and Secure Computing
FFPF: fairly fast packet filters

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
nCap: wire-speed packet capture and transmission

E2EMON '05 Proceedings of the End-to-End Monitoring Techniques and Services on 2005. Workshop
The BSD packet filter: a new architecture for user-level packet capture

USENIX'93 Proceedings of the USENIX Winter 1993 Conference Proceedings on USENIX Winter 1993 Conference Proceedings
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Beyond softnet

ALS '01 Proceedings of the 5th annual Linux Showcase & Conference - Volume 5
An architecture for exploiting multi-core processors to parallelize network intrusion prevention

Concurrency and Computation: Practice & Experience - Multi-core Supported Network and System Security
Packet capture in 10-gigabit Ethernet environments using contemporary commodity hardware

PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Comparing and improving current packet capturing solutions based on commodity hardware

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
High speed network traffic analysis with commodity multi-core systems

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement

Scap: stream-oriented network traffic capture and analysis for high-speed networks

Proceedings of the 2013 conference on Internet measurement conference
High-Performance network traffic processing systems using commodity hardware

DataTraffic Monitoring and Analysis

Quantified Score

Hi-index	0.24

Visualization

Abstract

Passive network monitoring is the basis for a multitude of systems that support the robust, efficient, and secure operation of modern computer networks. Emerging network monitoring applications are more demanding in terms of memory and CPU resources due to the increasingly complex analysis operations that are performed on the inspected traffic. At the same time, as the traffic throughput in modern network links increases, the CPU time that can be devoted for processing each network packet decreases. This leads to a growing demand for more efficient passive network monitoring systems in which runtime performance becomes a critical issue. In this paper we present locality buffering, a novel approach for improving the runtime performance of a large class of CPU and memory intensive passive monitoring applications, such as intrusion detection systems, traffic characterization applications, and NetFlow export probes. Using locality buffering, captured packets are being reordered by clustering packets with the same port number before they are delivered to the monitoring application. This results in improved code and data locality, and consequently, in an overall increase in the packet processing throughput and decrease in the packet loss rate. We have implemented locality buffering within the widely used libpcap packet capturing library, which allows existing monitoring applications to transparently benefit from the reordered packet stream without modifications. Our experimental evaluation shows that locality buffering improves significantly the performance of popular applications, such as the Snort IDS, which exhibits a 21% increase in the packet processing throughput and is able to handle 67% higher traffic rates without dropping any packets.