A network processor‐based architecture for multi‐gigabit traffic analysis

Abstract

AbstractThe wide availability of cheap and effective commodity PC hardware has driven the development of versatile traffic monitoring software such as protocol analyzers, traffic characterizers and intrusion detection systems. Most of them are designed to run on general purpose architectures and are based on the well‐known libpcap API, which has rapidly become a de facto standard. Although many improvements have been applied to packet capturing software, it still suffers from several performance flaws, mainly due to the underlying hardware bottlenecks. To overcome these issues, this paper proposes a system architecture, which combines the high performance of a Network Processor card with the flexibility of software‐based solutions. It allows for removing most part of the hardware limitations exhibited by a purely PC‐based architecture, while preserving the full compliance to any software applications based on libpcap. In addition, the proposed system enables the use of monitoring applications at the wire speed, with the possibility of on‐the‐fly data processing. The system performance has been thoroughly assessed: the results show that it clearly outperforms the previous PC‐based solutions in terms of packet capturing power, while the timestamping accuracy is as good as that achieved by DAG cards. Copyright © 2009 John Wiley & Sons, Ltd.