**2.1 Architecture of Ksensor**

The kernel-level framework, called Ksensor, intended to exploit the parallelism in QoS algorithms, improving the overall performance.

Modelling a Network Traffic Probe Over a Multiprocessor Architecture 307

It does not matter what processing thread analyses a packet because all of them use the same analysis logic. As we said before, there is a shared memory (memory map module)

Ksensor is integrated into the Linux Kernel. In order to capture the packets of the net, Ksensor uses the Kernel networking subsystem. The capturing interface of this subsystem is called NAPI (New API). Nowadays, all the devices have been upgraded to NAPI. Because of

When the first packet arrives to the NIC, it is stored on the card's internal buffer. When the PCI bus is free, the packets are copied from the NIC's buffer to a ring buffer through DMA. The ring buffer is also known as DMA buffer. Once this copy has finished, a hardware interrupt (hardirq) is generated. All of these actions have been executed without consuming

If the network interface copies a lot of packets in the ring buffer and the Kernel does not take them out, the ring buffer fills up. In this case, unless the interrupts are disabled, another interrupt is generated in order to notify this situation. Then, while the ring buffer is full, the new captured packets will be stored on the NIC's buffer. When this buffer fills up too, the

In any case, when the kernel detects the network card interrupt, its handler is executed. In this handler, the NIC driver registers the network interface in an especial list called poll list. This means that this interface has captured packets and needs the Kernel to take them out of the ring buffer. In order to do that, a new software interrupt (softIRQ) is scheduled. Finally, hardIRQs are disabled. From now on, the NIC will not notify new packet arrivals or

that stores the analysis logic. All the processing threads can access this memory.

that it is important to explain how this interface works [Benvenuti, 2006].

Fig. 2. Multithreaded execution instances in Ksensor.

**2.2 Capturing mechanism in Linux** 

any processor's resources.

arriving packets will be dropped.

overload of the ring buffer.

Fig. 1. Architecture of Ksensor.

Fig. 1 shows the architecture of Ksensor. As we can see, only the system configuration (parser) and the result management (Offline Processing Module, OPM) modules are at userlevel. Communication between user and Kernel spaces is offered by a module called driver. The figure also shows a module called memory map. This module is shared memory where the analysis logic and some variables are stored.

The definition of execution threads is aimed to take advantage of multiprocessor architectures at kernel-level and solve priority problems, minimizing context and CPU switching. Kernel threads are scheduled at the same level than other processes, so the Kernel's scheduler is responsible for this task.

Ksensor executes two tasks. On one hand, it has to capture network traffic. On the other hand, it has to analyse those captured packets. In order to do that, we define independent instances for capture and analysis phases. Each thread belongs to an execution instance of the system and is always linked with the same processor. All threads share information through the Kernel memory.

In Fig. 2 we can see the multithreaded execution instances in Ksensor. There are as many analysing instances as processors (ksensord#n) and as many capturing instances as capturing NICs (ksoftirqd#n). For example, if the system has two processors, one of them is responsible for capturing packets and analysing some of them and the other one is responsible for analysing packets. This way an analysis task could fill the 100% of one processor's resources if necessary.

The capturing instance takes the packets that the networking subsystem captures and stores them in the packet queue. There is only one packet queue. Processing instances take packets from that queue in order to analyse them.

Fig. 1 shows the architecture of Ksensor. As we can see, only the system configuration (parser) and the result management (Offline Processing Module, OPM) modules are at userlevel. Communication between user and Kernel spaces is offered by a module called driver. The figure also shows a module called memory map. This module is shared memory where

The definition of execution threads is aimed to take advantage of multiprocessor architectures at kernel-level and solve priority problems, minimizing context and CPU switching. Kernel threads are scheduled at the same level than other processes, so the

Ksensor executes two tasks. On one hand, it has to capture network traffic. On the other hand, it has to analyse those captured packets. In order to do that, we define independent instances for capture and analysis phases. Each thread belongs to an execution instance of the system and is always linked with the same processor. All threads share information

In Fig. 2 we can see the multithreaded execution instances in Ksensor. There are as many analysing instances as processors (ksensord#n) and as many capturing instances as capturing NICs (ksoftirqd#n). For example, if the system has two processors, one of them is responsible for capturing packets and analysing some of them and the other one is responsible for analysing packets. This way an analysis task could fill the 100% of one

The capturing instance takes the packets that the networking subsystem captures and stores them in the packet queue. There is only one packet queue. Processing instances take packets

Fig. 1. Architecture of Ksensor.

through the Kernel memory.

processor's resources if necessary.

from that queue in order to analyse them.

the analysis logic and some variables are stored.

Kernel's scheduler is responsible for this task.

Fig. 2. Multithreaded execution instances in Ksensor.

It does not matter what processing thread analyses a packet because all of them use the same analysis logic. As we said before, there is a shared memory (memory map module) that stores the analysis logic. All the processing threads can access this memory.
