**Modelling a Network Traffic Probe Over a Multiprocessor Architecture**

Luis Zabala, Armando Ferro, Alberto Pineda and Alejandro Muñoz *University of the Basque Country (UPV/EHU) Spain* 

### **1. Introduction**

302 Telecommunications Networks – Current Status and Future Trends

Teng, J. & Rouskas, G. (2005). Wavelength Selection in OBS Networks using Traffic

Wang, X.; Morikawa, H. & Aoyama, T. (2003). Priority-Based Wavelength Assignment

Zang, H.; Jue, J. ; Sahasrabuddhe, L.; Ramamurthy, R. & Mukherjee, B. (2001). Dynamic

Zhou, P. & Yang, O. (2003). How Practical is Optical Packet Switching in Core Networks?,

2709-2713, ISBN 0-7803-7974-8, San Francisco, USA, December 1-5, 2003 Zhu, K.; Zhu, H. & Mukherjee, B. (2005). *Traffic Grooming in Optical WDM Mesh Networks,* 

*Communications*, Vol. E86-B, No. 5, (2003), pp. 1508-1514, ISSN 1745-1345 Xiong, Y.; Vandenhoute, M. & Cankaya, H. (2000). Control Architecture in Optical Burst-

No. 10, (October 2000), pp. 1838-1851, ISSN 0733-8716

Springer, ISBN 978-0-387-25432-6, New York, USA

6804

6804

ISSN 0733-8724

*Communications Magazine*, Vol. 43, No. 11, (November 2005), pp. s48-s55, ISSN 0163-

Engineering and Priority-Based Concepts. *IEEE Journal on Selected Areas in Communications*, Vol. 23, No. 8, (August 2005), pp. 1658-1669, ISSN 0733-8716 Tucker, R. (2006). The Role of Optics and Electronics in High-Capacity Routers. *IEEE/OSA* 

*Journal of Lightwave Technology*, Vol. 24, No. 12, (December 2006), pp. 4655-4673,

Algorithm for Burst Switched WDM Optical Networks. *IEICE Transactions on* 

Switched WDM Networks. *IEEE Journal on Selected Areas in Communications*, Vol. 18,

Lightpath Establishment in Wavelength-Routed WDM Networks. *IEEE Communications Magazine*, Vol. 39, No. 9, (September 2001), pp. 100-108, ISSN 0163-

*Proceedings of IEEE GLOBECOM 2003 49th Global Telecommunications Conference*, pp.

The need to monitor and analyse data traffic grows with increasing network usage by businesses and domestic users. Disciplines such as security, quality of service analysis, network management, billing and even routing require traffic monitoring and analysis systems with high performance. Thus, the increasing bandwidth in data networks and the amount and variety of network traffic have increased the functional requirements for applications that capture, process or store monitored traffic. Besides, the availability of capture hardware (monitoring cards, taps, etc.) and mass storage solutions at a reasonable cost makes the situation better in the field of network traffic monitoring. For these reasons, several research groups are studying how to monitor heterogeneous network environments, such as wired broadband backbone networks, next generation cellular networks, high-speed access networks or WLAN in campus-like environments. In keeping with this line, our research group NQaS (Networking, Quality and Security) aims to contribute in this challenge and presents theoretical and experimental research to study the behaviour of a probe (Ksensor) that can perform traffic capturing and analysis tasks in Gigabit Ethernet networks. Not only do we intend to progress in the design of traffic analysis systems, but we also want to obtain mathematical models to study the performance of these devices.

The widespread of 1/10 Gigabit Ethernet networks, emphasizes the problems related to system losses which invalidate the results for certain analyses. New Gigabit networks, even at 40 and 100 Gbps, are already being implemented and the problem becomes accentuated. On top of that, commodity systems are not optimized for monitoring [Wang&Liu, 2004] and, as a result, processing resources are often wasted on inefficient tasks. Because of this, new research works have arisen focusing on the development of analysis systems that are able to process all the information carried by actual networks.

Taking all this into account, we would like to develop analytical models that represent traffic monitoring systems in order to provide solutions to the problems mentioned before. Modelling helps to predict the system's performance when it is subjected to a variety of network traffic load conditions. Designers and administrators can identify bottlenecks, deficiencies and key system parameters that impact its performance, and thereby the system can be properly tuned to give the optimal performance. By means of modelling technique, it

Modelling a Network Traffic Probe Over a Multiprocessor Architecture 305

[Salah, 2006][Salah et al., 2007]. They analyse the performance of the capturing system considering CPU consumptions in a model based on queuing theory. Their last contributions explain the evolution of their models towards applications like Snort or PC software routers. Another work in the same line was developed by Wu [Wu et al., 2007], where a mathematical model based on the 'token bucket' algorithm characterized Linux

We also have identified more complex models whose application to traffic capturing and analysis systems can be very beneficial. They are models based on queuing systems with vacations. In this field, we want to underline the contributions from Lee [Lee, 1989], Takagi

Most of the previous approaches are for single processor architectures. However, it is clear interest in the construction of analytical models for multiprocessor architectures, in order to evaluate their performance. This paper contributes in this sense from a different point of view, given that the model is based on a closed queueing network. Furthermore, the analytical model and the techniques presented in this paper can be considerably useful not only to model traffic monitoring systems, but also to characterize similarly-behaving queueing systems, particularly those of multiple-stage service. These systems may include

The rest of the chapter is organized as follows: in Section 2 we introduce the framework of our traffic and analysis system called 'Ksensor'. Section 3 presents the analytical model for evaluating the performance of the traffic monitoring system. Section 4 provides details on the analytical solution of the model. Section 5 deals with the validation and obtained results

In a previous work [Muñoz et al., 2007], our research group, NQaS, proposed a design for an architecture able to cope with high-speed traffic monitoring using commodity hardware. This kernel-level framework is called Ksensor and its design is based on the following elements:

• Migration to the kernel which consists in migrating the processing module from user-

• Execution threads defined to take advantage of multiprocessor architectures at kernellevel and solve priority problems. Independent instances are defined for capture and analysis phases. There are as many analysing instances as processors, and as many

• A single packet queue, shared by all the analysing instances, omitting the filtering

This section explains the main aspects of Ksensor, because of its importance in the validation

The kernel-level framework, called Ksensor, intended to exploit the parallelism in QoS

packet reception process.

[Takagi, 1994, 1995] and Fiems [Fiems, 2004].

intrusion detection systems, network firewalls, routers, etc.

**2. Ksensor: Multithreaded kernel-level probe** 

level to the kernel of the operating system.

capturing instances as capturing NICs.

algorithms, improving the overall performance.

**2.1 Architecture of Ksensor** 

are discussed. Finally, Section 6 remarks the conclusions and future work.

module and so saving processing resources for the analysis.

of the mathematical model which will be explained in a subsequent section.

is possible to draw qualitative and, in many cases, also quantitative conclusions about features related to modelled systems even without having to develop them. The impact of developing costs, which is a determining factor in some cases, can be dramatically reduced by using modelling.

Having this in mind, and considering the experience of our group, we present our original design (Ksensor) that improves system performance, as well as a mathematical model based on a closed queueing network which represents the behaviour of a multiprocessor traffic monitoring and analysis system. Both things are considered together in the validation of the model, where Ksensor is used as well as a testing platform developed by NQaS. All these aspects are presented throughout this chapter.

A number of papers has addressed the issue of modelling traffic monitoring systems. However, there are more related to the hardware and software involved in this type of systems.

Regarding hardware proposals, one of the most relevant was the development of the highperformance DAG capture cards [Cleary et al., 2000] at the University of Waikato (New Zealand). Several research works and projects have made use of these cards for traffic analysis system design. Some other works proposed the use of Network Processors (NP) [Intel, 2002]. Conventional hardware also showed bottlenecks and new input/output architectures were proposed, such as Intel's CSA (Communication Streaming Architecture).

At the software level, Mogul and Ramakrishnan [Mogul&Ramakrishnan, 1996] identified the most important performance issues on interrupt-driven capture systems. Zero-copy architectures are also remarkable [Zhu et al, 2006]. They try to omit the path followed by packets through the system kernel to the user-level applications, providing a direct access to captured data or mapping memory spaces (mmap). Biswas and Sinha proposed a DMA ring architecture [Biswas&Sinha, 2006] shared by user and kernel levels. Luca Deri suggests a passive traffic monitoring system over general purpose hardware at Gbps speeds (nProbe). Deri has also suggested improvements for the capture subsystem of GNU/Linux, such as a driver-level ring [Deri, 2004], and a user-level library, nCap [Deri, 2005a]. Recently, Deri has proposed a method for speeding up network analysis applications running on Virtual Machines [Cardigliano, 2011], and has presented a framework [Fusco&Deri, 2011] that can be exploited to design and implement this kind of applications.

Other proposals focus on parallel systems. Varenni et al. described the logic architecture of a multiprocessor monitoring system based on a circular capture buffer [Varenni et al.,2003] and designed an SMP driver for DAG cards. We must also remark the KNET module [Lemoine et al., 2003], a packet classifying system at the NIC to provide independent per connection queues for processors. In addition, Schneider and Wallerich studied the performance challenges over general purpose architectures and described a methodology [Schneider, 2007] for evaluating and selecting the ideal hardware/software in order to monitor high-speed networks.

Apart from the different proposals about architectures for capture and analysis systems, there are analytical studies which aim at the performance evaluation of these computer systems. Among them, we want to underline the works done by the group led by Salah

is possible to draw qualitative and, in many cases, also quantitative conclusions about features related to modelled systems even without having to develop them. The impact of developing costs, which is a determining factor in some cases, can be dramatically reduced

Having this in mind, and considering the experience of our group, we present our original design (Ksensor) that improves system performance, as well as a mathematical model based on a closed queueing network which represents the behaviour of a multiprocessor traffic monitoring and analysis system. Both things are considered together in the validation of the model, where Ksensor is used as well as a testing platform developed by NQaS. All these

A number of papers has addressed the issue of modelling traffic monitoring systems. However, there are more related to the hardware and software involved in this type of

Regarding hardware proposals, one of the most relevant was the development of the highperformance DAG capture cards [Cleary et al., 2000] at the University of Waikato (New Zealand). Several research works and projects have made use of these cards for traffic analysis system design. Some other works proposed the use of Network Processors (NP) [Intel, 2002]. Conventional hardware also showed bottlenecks and new input/output architectures were proposed, such as Intel's CSA (Communication Streaming Architecture). At the software level, Mogul and Ramakrishnan [Mogul&Ramakrishnan, 1996] identified the most important performance issues on interrupt-driven capture systems. Zero-copy architectures are also remarkable [Zhu et al, 2006]. They try to omit the path followed by packets through the system kernel to the user-level applications, providing a direct access to captured data or mapping memory spaces (mmap). Biswas and Sinha proposed a DMA ring architecture [Biswas&Sinha, 2006] shared by user and kernel levels. Luca Deri suggests a passive traffic monitoring system over general purpose hardware at Gbps speeds (nProbe). Deri has also suggested improvements for the capture subsystem of GNU/Linux, such as a driver-level ring [Deri, 2004], and a user-level library, nCap [Deri, 2005a]. Recently, Deri has proposed a method for speeding up network analysis applications running on Virtual Machines [Cardigliano, 2011], and has presented a framework [Fusco&Deri, 2011] that can

Other proposals focus on parallel systems. Varenni et al. described the logic architecture of a multiprocessor monitoring system based on a circular capture buffer [Varenni et al.,2003] and designed an SMP driver for DAG cards. We must also remark the KNET module [Lemoine et al., 2003], a packet classifying system at the NIC to provide independent per connection queues for processors. In addition, Schneider and Wallerich studied the performance challenges over general purpose architectures and described a methodology [Schneider, 2007] for evaluating and selecting the ideal hardware/software in order to

Apart from the different proposals about architectures for capture and analysis systems, there are analytical studies which aim at the performance evaluation of these computer systems. Among them, we want to underline the works done by the group led by Salah

by using modelling.

systems.

aspects are presented throughout this chapter.

be exploited to design and implement this kind of applications.

monitor high-speed networks.

[Salah, 2006][Salah et al., 2007]. They analyse the performance of the capturing system considering CPU consumptions in a model based on queuing theory. Their last contributions explain the evolution of their models towards applications like Snort or PC software routers. Another work in the same line was developed by Wu [Wu et al., 2007], where a mathematical model based on the 'token bucket' algorithm characterized Linux packet reception process.

We also have identified more complex models whose application to traffic capturing and analysis systems can be very beneficial. They are models based on queuing systems with vacations. In this field, we want to underline the contributions from Lee [Lee, 1989], Takagi [Takagi, 1994, 1995] and Fiems [Fiems, 2004].

Most of the previous approaches are for single processor architectures. However, it is clear interest in the construction of analytical models for multiprocessor architectures, in order to evaluate their performance. This paper contributes in this sense from a different point of view, given that the model is based on a closed queueing network. Furthermore, the analytical model and the techniques presented in this paper can be considerably useful not only to model traffic monitoring systems, but also to characterize similarly-behaving queueing systems, particularly those of multiple-stage service. These systems may include intrusion detection systems, network firewalls, routers, etc.

The rest of the chapter is organized as follows: in Section 2 we introduce the framework of our traffic and analysis system called 'Ksensor'. Section 3 presents the analytical model for evaluating the performance of the traffic monitoring system. Section 4 provides details on the analytical solution of the model. Section 5 deals with the validation and obtained results are discussed. Finally, Section 6 remarks the conclusions and future work.
