TY - GEN
T1 - Scap
T2 - 13th ACM Internet Measurement Conference, IMC 2013
AU - Papadogiannakis, Antonis
AU - Polychronakis, Michalis
AU - Markatos, Evangelos P.
PY - 2013
Y1 - 2013
N2 - Many network monitoring applications must analyze traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. However, existing network traffic capture frameworks provide applications with just raw packets, and leave complex operations like flow tracking and TCP stream reassembly to application developers. This gap leads to increased application complexity, longer development time, and most importantly, reduced performance due to excessive data copies between the packet capture subsystem and the stream processing module. This paper presents the Stream capture library (Scap), a network monitoring framework built from the ground up for stream-oriented traffic processing. Based on a kernel module that directly handles flow tracking and TCP stream reassembly, Scap delivers to userlevel applications flow-level statistics and reassembled streams by minimizing data movement operations and discarding uninteresting traffic at early stages, while it inherently supports parallel processing on multi-core architectures, and uses advanced capabilities of modern network cards. Our experimental evaluation shows that Scap can capture all streams for traffic rates two times higher than other stream reassembly libraries, and can process more than five times higher traffic loads when eight cores are used for parallel stream processing in a pattern matching application.
AB - Many network monitoring applications must analyze traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. However, existing network traffic capture frameworks provide applications with just raw packets, and leave complex operations like flow tracking and TCP stream reassembly to application developers. This gap leads to increased application complexity, longer development time, and most importantly, reduced performance due to excessive data copies between the packet capture subsystem and the stream processing module. This paper presents the Stream capture library (Scap), a network monitoring framework built from the ground up for stream-oriented traffic processing. Based on a kernel module that directly handles flow tracking and TCP stream reassembly, Scap delivers to userlevel applications flow-level statistics and reassembled streams by minimizing data movement operations and discarding uninteresting traffic at early stages, while it inherently supports parallel processing on multi-core architectures, and uses advanced capabilities of modern network cards. Our experimental evaluation shows that Scap can capture all streams for traffic rates two times higher than other stream reassembly libraries, and can process more than five times higher traffic loads when eight cores are used for parallel stream processing in a pattern matching application.
KW - Overload control
KW - Packet capturing
KW - Packet filtering
KW - Performance
KW - Stream reassembly
KW - Traffic monitoring
UR - https://www.scopus.com/pages/publications/84890072324
U2 - 10.1145/2504730.2504750
DO - 10.1145/2504730.2504750
M3 - Conference contribution
SN - 9781450319539
T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
SP - 441
EP - 454
BT - IMC 2013 - Proceedings of the 13th ACM Internet Measurement Conference
Y2 - 23 October 2013 through 25 October 2013
ER -