DMA_ring Based High Speed Network Packet Capture Architecture And It's Applications

Intrusion Detection System (IDS) is combined with hardware and software. We use IDS to analyze events on networks or hosts to find hidden safety troubles. In recent years, frequent network attacking happen, which teach us a good lesson. So we pay more attention to IDS, and hope it will solve the problem, so IDS plays a more important part in Network Security.Network Intrusion Detection System (NIDS) makes use of original data from Network, and analyze communications and transportations on the network in real time. Compared with HIDS (Host Intrusion Detection System), NIDS is more popular. But network technology is developing so fast, the transportation speed is much faster than before. All these make great challenge to traditional NIDS. The efficiency of packet capture is the first problem of traditional NIDS. Our task is to improve the efficiency of packet capture based on existing popular hardware. People make great effort and there are some new techniques on packet capture, such as NAPI, PF_ring, etc.DMA_ring is built on Linux system, it's a high performance packet capturing architecture. A. Biswas designed the architecture. We proceed with our work under his contributions.Our work is as follows:Built the DMA_ring architecture in our own network environment, and make further research on it's applications in NIDS systems.There are two parts of the DMA_ring architecture. One works in kernel space, which make DMA transfer of the packets captured by NIC (network interface card) to a DMA ring buffer. Then user space read and process data from this buffer by making a MMAP call. The ring buffer is then re-mapped to user space. So this is a zero-copy architecture. Another part of this architecture works in user space. It managed to analyze network flux and decide which driving mode to use: interrupt or polling. When packet arrival rate is low, we use interrupt mode, while the packet arrival rate is high, we switch to polling mode. This half polling architecture can make use of system resources much better, and Hardware manage to work with more efficiency. A new method is in use for better forecast of the packet arrival rate, which is considered to be sharp and noise immune. So the system can make quick and correct mode switch.Based on A. Biswas's work, we developed his work and apply it in a real network environment. We migrate the architecture to Vanilla linux kernel, which make it more adaptable, so we can deploy the architecture in other linux systems, and embedded linux equipments as well.Finally, we make more tests about the new architecture. A. Biswas only gave the results about 64 bit packets flux, while we test the architecture under various environment. We concentrate on packet loss, system throughput, and CPU utilization, and make out test under different flux of the network. Then compared with the NIDS system without this new architecture, we analyze the result and make the conclusion.After that, we try to apply the architecture to NIDS system. Nowadays, most packet capture system are built under the Libpcap library. We embed the DMA_ring architecture into the Libpcap, by modifying "libpcap" packet capture library source code, which make it no more a packet capture architecture alone. When NIDS systems, like Snort, run in user space, the architecture will be activated, and act as part of the NIDS systems. We connect the Libpcap library with the DMA_ring architecture successfully, but it cost me too much time, so we haven't enough time to proceed with the next step, to receive packets from the DMA_ring and the IOCTL. We will do that later.