Improving the performance of passive network monitoring applications with memory locality enhancements

Antonis Papadogiannakis, Giorgos Vasiliadis, Demetres Antoniades, Michalis Polychronakis, Evangelos P. Markatos

Research output: Contribution to journalArticle

13 Citations (Scopus)

Abstract

Passive network monitoring is the basis for a multitude of systems that support the robust, efficient, and secure operation of modern computer networks. Emerging network monitoring applications are more demanding in terms of memory and CPU resources due to the increasingly complex analysis operations that are performed on the inspected traffic. At the same time, as the traffic throughput in modern network links increases, the CPU time that can be devoted for processing each network packet decreases. This leads to a growing demand for more efficient passive network monitoring systems in which runtime performance becomes a critical issue. In this paper we present locality buffering, a novel approach for improving the runtime performance of a large class of CPU and memory intensive passive monitoring applications, such as intrusion detection systems, traffic characterization applications, and NetFlow export probes. Using locality buffering, captured packets are being reordered by clustering packets with the same port number before they are delivered to the monitoring application. This results in improved code and data locality, and consequently, in an overall increase in the packet processing throughput and decrease in the packet loss rate. We have implemented locality buffering within the widely used libpcap packet capturing library, which allows existing monitoring applications to transparently benefit from the reordered packet stream without modifications. Our experimental evaluation shows that locality buffering improves significantly the performance of popular applications, such as the Snort IDS, which exhibits a 21% increase in the packet processing throughput and is able to handle 67% higher traffic rates without dropping any packets.

Original languageEnglish
Pages (from-to)129-140
Number of pages12
JournalComputer Communications
Volume35
Issue number1
DOIs
Publication statusPublished - 1 Jan 2012
Externally publishedYes

Fingerprint

Passive networks
Data storage equipment
Monitoring
Program processors
Throughput
Processing
Packet networks
Intrusion detection
Packet loss
Computer networks

Keywords

  • Intrusion detection systems
  • Locality buffering
  • Packet capturing
  • Passive network monitoring

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Improving the performance of passive network monitoring applications with memory locality enhancements. / Papadogiannakis, Antonis; Vasiliadis, Giorgos; Antoniades, Demetres; Polychronakis, Michalis; Markatos, Evangelos P.

In: Computer Communications, Vol. 35, No. 1, 01.01.2012, p. 129-140.

Research output: Contribution to journalArticle

Papadogiannakis, Antonis ; Vasiliadis, Giorgos ; Antoniades, Demetres ; Polychronakis, Michalis ; Markatos, Evangelos P. / Improving the performance of passive network monitoring applications with memory locality enhancements. In: Computer Communications. 2012 ; Vol. 35, No. 1. pp. 129-140.
@article{155a46e206d14d2289e913033250eeb8,
title = "Improving the performance of passive network monitoring applications with memory locality enhancements",
abstract = "Passive network monitoring is the basis for a multitude of systems that support the robust, efficient, and secure operation of modern computer networks. Emerging network monitoring applications are more demanding in terms of memory and CPU resources due to the increasingly complex analysis operations that are performed on the inspected traffic. At the same time, as the traffic throughput in modern network links increases, the CPU time that can be devoted for processing each network packet decreases. This leads to a growing demand for more efficient passive network monitoring systems in which runtime performance becomes a critical issue. In this paper we present locality buffering, a novel approach for improving the runtime performance of a large class of CPU and memory intensive passive monitoring applications, such as intrusion detection systems, traffic characterization applications, and NetFlow export probes. Using locality buffering, captured packets are being reordered by clustering packets with the same port number before they are delivered to the monitoring application. This results in improved code and data locality, and consequently, in an overall increase in the packet processing throughput and decrease in the packet loss rate. We have implemented locality buffering within the widely used libpcap packet capturing library, which allows existing monitoring applications to transparently benefit from the reordered packet stream without modifications. Our experimental evaluation shows that locality buffering improves significantly the performance of popular applications, such as the Snort IDS, which exhibits a 21{\%} increase in the packet processing throughput and is able to handle 67{\%} higher traffic rates without dropping any packets.",
keywords = "Intrusion detection systems, Locality buffering, Packet capturing, Passive network monitoring",
author = "Antonis Papadogiannakis and Giorgos Vasiliadis and Demetres Antoniades and Michalis Polychronakis and Markatos, {Evangelos P.}",
year = "2012",
month = "1",
day = "1",
doi = "10.1016/j.comcom.2011.08.003",
language = "English",
volume = "35",
pages = "129--140",
journal = "Computer Communications",
issn = "0140-3664",
publisher = "Elsevier",
number = "1",

}

TY - JOUR

T1 - Improving the performance of passive network monitoring applications with memory locality enhancements

AU - Papadogiannakis, Antonis

AU - Vasiliadis, Giorgos

AU - Antoniades, Demetres

AU - Polychronakis, Michalis

AU - Markatos, Evangelos P.

PY - 2012/1/1

Y1 - 2012/1/1

N2 - Passive network monitoring is the basis for a multitude of systems that support the robust, efficient, and secure operation of modern computer networks. Emerging network monitoring applications are more demanding in terms of memory and CPU resources due to the increasingly complex analysis operations that are performed on the inspected traffic. At the same time, as the traffic throughput in modern network links increases, the CPU time that can be devoted for processing each network packet decreases. This leads to a growing demand for more efficient passive network monitoring systems in which runtime performance becomes a critical issue. In this paper we present locality buffering, a novel approach for improving the runtime performance of a large class of CPU and memory intensive passive monitoring applications, such as intrusion detection systems, traffic characterization applications, and NetFlow export probes. Using locality buffering, captured packets are being reordered by clustering packets with the same port number before they are delivered to the monitoring application. This results in improved code and data locality, and consequently, in an overall increase in the packet processing throughput and decrease in the packet loss rate. We have implemented locality buffering within the widely used libpcap packet capturing library, which allows existing monitoring applications to transparently benefit from the reordered packet stream without modifications. Our experimental evaluation shows that locality buffering improves significantly the performance of popular applications, such as the Snort IDS, which exhibits a 21% increase in the packet processing throughput and is able to handle 67% higher traffic rates without dropping any packets.

AB - Passive network monitoring is the basis for a multitude of systems that support the robust, efficient, and secure operation of modern computer networks. Emerging network monitoring applications are more demanding in terms of memory and CPU resources due to the increasingly complex analysis operations that are performed on the inspected traffic. At the same time, as the traffic throughput in modern network links increases, the CPU time that can be devoted for processing each network packet decreases. This leads to a growing demand for more efficient passive network monitoring systems in which runtime performance becomes a critical issue. In this paper we present locality buffering, a novel approach for improving the runtime performance of a large class of CPU and memory intensive passive monitoring applications, such as intrusion detection systems, traffic characterization applications, and NetFlow export probes. Using locality buffering, captured packets are being reordered by clustering packets with the same port number before they are delivered to the monitoring application. This results in improved code and data locality, and consequently, in an overall increase in the packet processing throughput and decrease in the packet loss rate. We have implemented locality buffering within the widely used libpcap packet capturing library, which allows existing monitoring applications to transparently benefit from the reordered packet stream without modifications. Our experimental evaluation shows that locality buffering improves significantly the performance of popular applications, such as the Snort IDS, which exhibits a 21% increase in the packet processing throughput and is able to handle 67% higher traffic rates without dropping any packets.

KW - Intrusion detection systems

KW - Locality buffering

KW - Packet capturing

KW - Passive network monitoring

UR - http://www.scopus.com/inward/record.url?scp=81255157603&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=81255157603&partnerID=8YFLogxK

U2 - 10.1016/j.comcom.2011.08.003

DO - 10.1016/j.comcom.2011.08.003

M3 - Article

VL - 35

SP - 129

EP - 140

JO - Computer Communications

JF - Computer Communications

SN - 0140-3664

IS - 1

ER -