The System For Network Traffic Monitoring Based On Embedded Linux

With the development of internet and computer technology, network has entered into almost every aspect of society and our life. But it has also brings some problems which must be dealt with. Threats and the abnormity of network security in network traffic have influenced the network much. So that, the research and development of software which monitors and detects the abnormal case in network traffic has becomes an important task in computer network security field.Based on the research and analysis of current network traffic monitoring technology, the network monitor system running in Linux kernel is designed and implemented, which is using dynamic loading of module. Compared with network monitoring application programs running in user space, the module has reduced the operations of memory copy from the kernel space to the user space to the limit, because the task of traffic collection and analysis and other tasks are all completed in kernel space. So the integral performance is enhanced greatly.Firstly, the network monitor system running in Linux kernel, which is based on connection-level is designed and implemented. It mainly consists of five function modules: traffic collection module,traffic statistics module,timing module,TCP state inspection module,time-out testing module. And the system is tested,compared and verified. Compared with Tcpdump running in user space, the system is practical and efficient, due to lower loss rate.Secondly, the network monitor system running in Linux kernel, which is based on host-level is designed and implemented. It can be applied to the worm detection. It mainly consists of three function modules: traffic collection module,TCP connection inquiry module,worm detection module. The system is also tested. Taking the use of the worm detection algorithm based on failed probability of FCC and heavy-tailed properties, it can detect the network worm in the kernel space immediately and accurately, and decrease the false positives.Thirdly, the system has been transplanted into the embedded development platform, and finally been realized in the experimentation network.Innovations in the paper include: the design of traffic monitoring system in kernel space; the design and implementation of traffic collection, statistical analysis of traffic; the design and implementation of traffic monitoring technology for worm detection based on host-level.