Research And Implementation Of A High-performance Packet Capture System

With the rapid development of network bandwidth, network field faces serious datamonitoring task. The technology of passive packet capture is the foundation of all monitoringtask in the aspect of network security and network management. It has extremely richapplications, such as network monitoring systems, intrusion detection systems, networkfirewall, network fault diagnosis, network operation guidance management and design, etc.However, currently popular operating systems (such as Linux) don’t optimize performance forthis kind of particular application. When network load increases, the performance of packetcapture sharply declines and the rate of the packet loss is very high.How to realize the real-time data flow monitoring in order to improve the performance ofpacket capture is a hot issue. This paper mainly studies realization of data packet capturesystem with1Gbs high speed multiple ports input. It is based on Linux operating system andon the system which has multi-core processors with82576network cards. The main topics ofthis paper are as following:1) Research and analysis the process of packet reach to user space by the Linux kernelnetwork protocol. Summed up general operating system is not suitable for data monitoringplatform during data processing because copying data many times and frequent system callcauses a context switch and interrupt livelock problems.2) Analysis and research the current solutions of high performance data flow monitoringon Linux, such as zero copy, NAPI, PF_RING, netmap, etc. Explain the new characteristics ofthe current hardware such as IOAT.3) Based on the results of the research, the data capture system is implemented by usingthe RSS CARDS and netmap (open source zero-copy solution) in this paper. According toapplications of this system, hash key of RSS network card is improved and in order to reduceresource contention the data structure of netmap has been optimized. 4) Test the data capture system and verify that the system has the ability of dual portwhich can be input2gbs at the same time.