Gigabit Ethernet Sniffer System Based On Linux

Network sniffer is a combination of software and hardware. By capturing data on the network to carry out analysis and gather information of devices in the network. Sniffing is a powerful tool for gathering data in the network. It’s crucial to be able to capture complete data with in a network, especially the local area network (LAN) in a complex topology structure. With the rapid development of network technology in recent years, the complex network topology application is more and more widely used. Consequently, monitoring the network data flow is becoming more and more complex. Using sniffer as a means of network management is particularly important and it has become an indispensable part in network monitoring system.A Sniffer system is based capturing the raw data in a network and analyzing it in real-time. Compared to the monitoring data from application layer, sniffing system based on network layer has become the mainstream of network monitoring system. But with the rapid development of network technology, the increased network bandwidth and stress in data flow, sniffer technology is facing the challenge brought by the high-speed network transmission.The low efficiency of packet capturing is one of the traditional problems based on network monitoring system in high-speed network. There are many ways to solve this problem around the world, namely the famous techniques such as NAPI and LibTrace, to name a few. The key concept is to improve data processing algorithm and DMA copy of the underlying data. This paper is mainly focused on improving the traditional way of sniffing and building a new type of network sniffer based on the improved design of a new type of network sniffer to use with generic equipment and achieve high efficiency with minimal packet loss.Proposed in this paper, Netingale is a new type of sniffing technology based on Linux platform. We researched on NAPI mechanism on Linux, passive data capture some programs adopted, BPF mechanism based LibPcap library and Pcap standard developed by Network Research Group of Lawrence Berkeley Laboratory to capture network data and DMA-ring network packed capture mechanism designed on top of zero copy and half polling technique. Our work is carried out based on these technologies. Main tasks in this paper:·Improved LibPcap data capturing mechanism: Through the LibPcap data capture mechanism-BPF, our team analyze the reason for the low capture efficiency and propose an improved scheme for NAPI and buffer mechanism based on the analysis. While traditional NAPI mechanism is stable in dealing with the data traffic pressure in a small network, it lacks the ability to deal with large data flow in a network environment which results in a large number of packet loss. The improved mechanism will use the CPU’s multi-thread processing mechanism to improve the efficiency. LibPcap buffer mechanism uses two replication process while capturing data, which leads to packet loss in high-speed network environment. The improved buffer mechanism implements the idea of zero copy. Through such means as mmap implementation to work around data copying, we use DMA-ring to design a ring buffer queue instead of the LibPcap buffer queue. Performance of software sniffing is improved by using these two methods.·Propose a new type of Netingale middleware sniffer system: The open source LibPcap based improvement was implemented by using passive data capture and analyzing the Linux kernel source code. While running Netingale, the Linux kernel processes the captured data. The improved scheme will minimize data processing for Linux kernel by optimizing LibPcap and BPF process to achieve higher data processing efficiency.·RACOON gigabit network sniffer system based on Netingale: Starting with the application environment, and then design the network topology, build network environment for both the hardware and software environment, deploy the RACOON system, write the packet capturing program on the sniffer machine and implement the control application on the console machine in order to complete the whole system.·Test the performance of RACOON sniffer: The RACOON sniffer is tested against several modern software in the same small gigabit LAN environment in regard to performance analysis. Starting from the most general network environment, our team thoroughly tested RACOON for a long period of time by collecting statistics of captured and lost data packed rate to compare the performance of different sniffer software platform to the RACOON sniffer.