**2.2 Capturing mechanism in Linux**

Ksensor is integrated into the Linux Kernel. In order to capture the packets of the net, Ksensor uses the Kernel networking subsystem. The capturing interface of this subsystem is called NAPI (New API). Nowadays, all the devices have been upgraded to NAPI. Because of that it is important to explain how this interface works [Benvenuti, 2006].

When the first packet arrives to the NIC, it is stored on the card's internal buffer. When the PCI bus is free, the packets are copied from the NIC's buffer to a ring buffer through DMA. The ring buffer is also known as DMA buffer. Once this copy has finished, a hardware interrupt (hardirq) is generated. All of these actions have been executed without consuming any processor's resources.

If the network interface copies a lot of packets in the ring buffer and the Kernel does not take them out, the ring buffer fills up. In this case, unless the interrupts are disabled, another interrupt is generated in order to notify this situation. Then, while the ring buffer is full, the new captured packets will be stored on the NIC's buffer. When this buffer fills up too, the arriving packets will be dropped.

In any case, when the kernel detects the network card interrupt, its handler is executed. In this handler, the NIC driver registers the network interface in an especial list called poll list. This means that this interface has captured packets and needs the Kernel to take them out of the ring buffer. In order to do that, a new software interrupt (softIRQ) is scheduled. Finally, hardIRQs are disabled. From now on, the NIC will not notify new packet arrivals or overload of the ring buffer.

Modelling a Network Traffic Probe Over a Multiprocessor Architecture 309

program's code has a quite deterministic behaviour, some randomness is introduced by Poisson incoming traffic, variable length of packets and kernel scheduler uncertainty.

The proposed queuing network for modelling a traffic monitoring system is showed in Fig. 3. It consists of two parts; the upper one has a set of multi-server queues which represents the processing ability of the traffic analysis system. The lower part models the injection of network traffic with λ rate with a simple queue. The number of packets that are permitted in

ANALYSIS

μ*Ak*

> μ*Ak p*

*qa*

μ*Au*

> μ*Au p*

γ

**3.1 Description of the model** 

μ*kk*

> μ*kk p*

*W = N*

specific function:

packet arrival.

the closed queue network is fixed and its value is N.

μ*Tk*

> μ*Tk p*

Fig. 3. General model for the traffic analysis system.

whether a packet need to be further analysed or not.

TREATMENT

μ*Tu*

> μ*Tu p*

> > λ

TRAFFIC INJECTIÓN

Some stages are divided into multiple queues, due to the need to differentiate the processing done in the Kernel and the processing done at user level. Although the process code is usually running on the user level, system calls that require Kernel services are also used.

Four different stages have been distinguished for the closed network, each one with a

• System stage (system queue): it consists in a queue of μkk (measured in packets per second) capacity. This stage represents the time spent on the Kernel level of the operating system by the traffic analysis system. It comprises treatments of device controllers and attention paid by kernel to interruptions (hardIRQ and softIRQ) due to

• Basic treatment stage (treatment queues): it is modelled by two queues with μTk and μTu capacities. This stage represents the amount of time consumed by the system to perform basic treatment to packets captured from the net. This is mainly accomplished by studying control headers of the packets and by determining through a decision tree

SYSTEM BASIC
