The Research And Evaluation Of General PC-Based Traffic Monitoring Method

Network traffic monitoring is one of the most important measures to comprehend network traffic characteristics.It can help us to acquire numerous information about network traffic, such as getting network behavior characteristics,detecting abnormal traffic, discovering network bottlenecks, locating and recovering network fault and so on.There are two major traffic monitoring methods to implement the traffic measurement:hardware-based measurement method and pc-based measurement method.Hardware-based measurement method is usually adopted by larger developer corporations and ISPs for its excellent performance under high speed link, while most small and medium enterprises prefer to use pc-based measurement method.However, with increasing development of network speed,pc-based measurement method is insufficient for traffic monitoring under high speed link due to limitation of operating system and hardware.Hence,as a hot point of traffic monitoring at present, flow sampling and high-speed packet capture technology encounter many challenges.In this thesis,traffic monitoring is investigated deeply, and flow estimation methods based on sampling and high-speed link packet capture technology are analyzed.The main works are described as following:(1)A hybrid sampling of flow estimation is proposed.This method is implemented by combing adaptive sampling,this is to say, sampling probability, adjusted constantly according to current traffic situation, and flow threshold are used to identify big flow in order to improve sampling accuracy and reduce store space. Unbiased estimation of flow size,the upper bound of relative error and the time and space complexity are deduced theoretically. Experimental results show that the algorithm can adjust the sampling probability properly and identify big flow exactly.(2)PC-Based Packet Capture Methods for High Speed Networks is evaluated. There are four common packet capture methods:Libpcap, libpcap_mmap, kernel-based methods o shared memory based packet capture method.However, because of limitation of operating system and hardware, these four methods have different maneuverability and practicability. In this thesis,all of four methods are evaluated experimentally, and influences of NAPI and interrupt model on packet capture are analyzed.Experimental results show that NAPI model has good performance under condition of heavy traffic with small packets,nevertheless, interrupt model works better when there are more big packets,especially packets larger than 256Bytes.(3)A traffic monitoring and analysis subsystem is designed and implemented. Specifically, traffic analysis module, core module of the subsystem,is designed and implemented.And Traffic analysis based on the flow level and packet-level are finished in this module.At present,the system is running in the real network.