Packet filter optimization techniques for high-speed network monitoring

Abstract

Effective network monitoring is vital for a growing number of control and management applications typically found in present-day networks. The ever-increasing link speeds and the complexity of monitoring applications’ needs have exposed severe limitations of existing monitoring techniques. A majority of the current monitoring tasks require only a small subset of all observed packets, which share some common properties such as identical header fields or similar patterns in their data. In order to capture only these useful packets, a large set of expressions needs to be evaluated. This evaluation should be done as efficiently as possible when monitoring multi-gigabit networks. To speed up this packet classification process, this article presents different packet filter optimization techniques. Complementary to existing approaches, we propose an adaptive optimization algorithm which dynamically reconfigures the filter expressions based on the currently observed traffic pattern. The performance of the algorithms is validated both analytically and by means of the implementation in a network monitoring framework. The various characteristics of the algorithms are investigated, including their performance in an operational network intrusion detection system.