Captura e Análise de Tráfego da Camada de Aplicação por Software com Alto Desempenho

  • Tiago Macambira UFMG
  • Dorgival Guedes UFMG
  • Wagner Meira Jr. UFMG

Resumo


O aumento da utilização comercial de redes de computadores tem aumentado a necessidade de se desenvolver sistemas que permitam aos administradores de redes monitorar e analisar o tráfego das mesmas em detalhes. As soluções disponíveis usualmente dependem de hardware especializado, de alto custo. Neste trabalho discutimos os desafios para se desenvolver uma ferramenta de monitoração e análise de tráfego da camada de aplicação em tempo real baseada em software, utilizando hardware convencional. Apresentamos uma arquitetura de coleta que permite a análise do estado das aplicações utilizadas na rede, realizando a recuperação do conteúdo trocado entre os usuários de uma rede P2P, por exemplo. Os resultados mostram que a arquitetura proposta apresenta uma taxa de perda de pacotes de apenas 3,3% ao monitorar um tráfego a 500 Mbps, com um desempenho 99% superior ao que é obtido utilizando uma abordagem tradicional. Mesmo a essa taxa de transmissão bastante elevada, o sistema ainda é capaz de recuperar 71% dos dados trocados entre os usuários de uma aplicação P2P, mais que 100 vezes mais que a solução convencional.

Referências

KaZaa home page, 2004. http://www.kazaa.com.

M. L. Bailey, B. Gopal, M. A. Pagels, L. L. Peterson, and P. Sarkar. PathFinder: A pattern-based packet classifier. In Proc. of the 1st Symposium on Operating System Design and Implementation, 1994. USENIX Association.

A. Bege), S. McCanne, and S. L. Graham. BPF+: exploiting global data-flow optimization in a generalized packet filter architecture. In SIGCOMM '99: Proceedings of the conference on Applications, tecnologies, architectures, and protocols for computer communication, New York, NY, USA, I999. ACM Press.

H. Bos, W. de Bruijn, M. Cristea, T. Nguyen, and G. Portokalidis. FFPF: Fairly fast packet filters. In Proceedings of 6th Symposium on Operating System Design and Implementation (OSDI 2004), 2004.

J. C. Brustoloni and P. Steenkiste. User-level protocol servers with kernel-level performance. In Proceedings of the INFOCOM'98, 1998.

Y. H. Cho, S. Navab, and W. H. Mangione-Smith. Specialized hardware for deep network packet filtering. In FPL '02: Proceedings of the Reconfigurable Computing is Going Mainstream, 12th International Conference on Field-Programmable Logic and Applications, London, UK, 2002. Springer-Verlag.

J. Cleary, S. Donnelly, I. Graham, A. McGregor, and M. Pearson. Design principies for accurate passive measurement. In Passive and Active Measurement Workshop, 2000.

L. Degioanni, M. Baldi, F. Risso, and G. Varenni. Profiling and optimization of software-based network-analysis applications. In SBAC-PAD '03: Proceedings of the 15th Symposium on Computer Architecture and High Performance Computing, Washington, DC, USA, 2003. IEEE Computer Society.

L. Degioanni and G. Varenni. Introducing scalability in network measurement: toward 10 gbps with commodity hardware. In IMCÓ4: Proceedings of the 4th ACM SIGCOMM conference on lnternet measurement, New York, NY, USA, 2004. ACM Press.

L. Deri. Passively monitoring networks at gigabit speeds using commodity hardware and open source software. In In Passive and Active Measurement Workshop 2003, 2003.

L. Deri. Improving passive packet capture: Beyond device polling. In 4th International System Administration and Network Engineering Conference, 2004. Anais WSCAD 2005

N. Desai. lncreasing performance in high speed NIDS, 2002. http://www.linuxsecurety.com, last accessed on April 2005.

Endance Measurement Systems. The DAG project, 2005. http://dag.cs.waikato.ac.nz, last access on April 2005.

D. R. Engler and M. F. Kaashoek. DPF: fast, flexible message demultiplexing using dynamic code generation. In SIGCOMM '96: Conference proceedings on Applications, technologies, architectures, and protocols for Computer communications, New York, NY, USA, 1996. ACM Press.

T. HolBfeld, K. Leibnitz, R. Pries, K. Tutschku, P. TranGia, and K. Pawlikowski. Information diffusion in eDonkey filesharing networks. In Australian Telecommunication Networks and Applications Conference (ATNAC 2004), Sydney, Australia, 2004.

G. Iannaccone, C. Diot, I. Graham, and N. McKeown. Monitoring very high speed links. In Proceedings of the 1st ACM SIGCOMM Workshop on internet Measurement 2001. ACM, 2001.

S. Ioannidis, K. Anagnostakis, J. Ioannidis, and A. Keromytis. xPF: packet filtering for lowcost network monitoring. In IEEE Workshop on High-Performance Switching and Routillg (HPSR), 2002.

T. Karagiannis, M. Faloutso, A. Broido, N. Brownlee, and K. C. Claffy. Transport layer identification of P2P traffic. In Internet Measurement Conference 2004, 2004.

C. Kruegel, F. Valeur, G. Vigna, and R. Kemrnerer. Stateful intrusion detection for high-speed networks. In SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, 2002. IEEE Computer Society.

S. McCanne and V. Jacobson. The BSD packet filter: A new architecture for usert-level packet capture. In Proc. of the Winter 1993 USENIX Conference, pages 259-270, San Diego, California, 1993.

J. Mogul, R. Rashid, and M. Accena. The packer filter: an efficient mechanism for user-level network code. In SOSP '87: Proceedings of the eleventh ACM Symposium on Operating systems principies, New York, NY, USA, 1987. ACM Press.

L. Rizzo. Device polling support for FreeBSD. In BSDConEurope Conference, 2001.

S. Sen, O. Spatscheck, and D. Wang. Accurate, scalable innetwork identification of P2P traffic using application signatures. In WWW '04: Proceedings of the 13th international Conference on World Wide Web. ACM Press, 2004.

tcpreplay. tcpreplay's homepage, 2005. http://tcpreplay.sourceforge.org, last access on June 2005.

C. A. Thekkath, T. D. Nguyen, E. Moy, and E. D. Lazowska. lmplementing network protocols at user levei. IEEEIACM Trans. NeTIV., 1(5), 1993.

J. van der Merwe, R. Cáceres, Y. hua Chu, and C. Sreenan. mmdump: a tool for monitoring internet multimedia traffic. SIGCOMM Compw. Commun. Rev., 30(5), 2000.

G. van Rooij. Real stateful TCP packet filtering in IP Filter, 2001. Unpublished invited talk, Tenth USENIX Security Symposium. http://www.usenix.org/events/sec01/invitedtalks/rooij.pdf, last access on June 2005.

G. Varenni, M. Baldi, L. Degioanni, and F. Risso. Optimizing packet capture on symmetric multiprocessing machines. In SBAC-PAD '03: Proceedings of the 15th Symposium on Computer Architecture and High Performance Computing, Washington, DC, USA, 2003. IEEE Computer Society.

R. Wojtczuk. libNIDS homepage, 2005. http://libnids.sourceforge.net, last access on June 2005.

M. Yuhara, B. N. Bershad, C. Maeda, and J. E. B. Moss. Efficient packet demultiplexing for multiple endpoints and large messages. In USENIX Winter, 1994.
Publicado
24/10/2005
MACAMBIRA, Tiago; GUEDES, Dorgival; MEIRA JR., Wagner. Captura e Análise de Tráfego da Camada de Aplicação por Software com Alto Desempenho. In: SIMPÓSIO EM SISTEMAS COMPUTACIONAIS DE ALTO DESEMPENHO (SSCAD), 6. , 2005, Rio de Janeiro. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2005 . p. 97-104. DOI: https://doi.org/10.5753/wscad.2005.18981.