SF-TAP: Scalable and Flexible Traffic Analysis Platform running on Commodity Hardware

4'5"14DBMBCMFBOE'MFYJCMF 5SBGGJD"OBMZTJT1MBUGPSN 3VOOJOHPO$PNNPEJUZ )BSEXBSF :VVLJ5BLBOP 3ZPTVLF.JVSB 4IJOHP:BTVEB ,VOJP"LBTIJ 5PNPZB*OPVF
JO64&/*9-*4" /*$5 +"*45 +BQBO

5BCMFPG$POUFOUT .PUJWBUJPO 3FMBUFE8PSL %FTJHOPG4'5"1 *NQMFNFOUBUJPOPG4'5"1
1FSGPSNBODF&WBMVBUJPO $PODMVTJPO

.PUJWBUJPO w 1SPHSBNNBCMFBQQMJDBUJPOMFWFMUSBGGJDBOBMZ[FS w 8FXBOUʜ w UPXSJUFUSBGGJDBOBMZ[FSTJOBOZMBOHVBHFTTVDI BT1ZUIPO 3VCZ
$ GPSNBOZQVSQPTFT *%4 *14 GPSFOTJD NBDIJOFMFBSOJOH w OPU UPXSJUFDPEFTIBOEMJOH5$1TUSFBN SFDPOTUSVDUJPO RVJUFDPNQMFY w NPEVMBSJUZGPSNBOZBQQMJDBUJPOQSPUPDPMT

.PUJWBUJPO w )JHITQFFEBQQMJDBUJPOMFWFMUSBGGJDBOBMZ[FS w 8FXBOUʜ w UPIBOEMFIJHICBOEXJEUIUSBGGJD w UPIBOEMFIJHIDPOOFDUJPOTQFSTFDPOE
w IPSJ[POUBMBOE$16DPSFTDBMBCMFBOBMZ[FS

.PUJWBUJPO w 3VOOJOHPO$PNNPEJUZ)BSEXBSF w 8FXBOUʜ w PQFOTPVSDFTPGUXBSF w OPUUPVTFFYQFOTJWFBQQMJBODFT

3FMBUFE8PSL #1'<64&/*9"5$> OFUNBQ<64&/*9"5$> %1%, QDBQ ("411<64&/*9"5$> 4$"1<*.$> MJCOJET MJCQSPUPJEFOU
O%1* MGJMUFS MPXMFWFMUSBGGJDDBQUVSF GMPXPSJFOUFEBOBMZ[FS BQQMJDBUJPOUSBGGJDEFUFDUPS 4'5"1 NPEVMBSJUZBOETDBMBCJMJUZ

)JHIMFWFM"SDIJUFDUVSF PG4'5"1 $16 $16 $16 $16 'MPX"CTUSBDUPS $16 $16
$16 $16 'MPX"CTUSBDUPS $16 $16 $16 $16 'MPX"CTUSBDUPS $16 $16 $16 $16 'MPX"CTUSBDUPS $FMM*ODVCBUPS 5IF*OUFSOFU 4'5"1$FMM 4'5"1$FMM 4'5"1$FMM 4'5"1$FMM *OUSB/FUXPSL $PSF4DBMJOH $PSF4DBMJOH $PSF4DBMJOH $PSF4DBMJOH )PSJ[POUBM4DBMJOH "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS "OBMZ[FS (C& (C&

%FTJHO1SJODJQMF w 'MPX"CTUSBDUJPO w BCTUSBDUGMPXTCZBQQMJDBUJPOMFWFMQSPUPDPMT w QSPWJEFGMPXBCTUSBDUJPOJOUFSGBDFTMJLFEFW QSPDPS#1' w
GPSNVMUJQMFQSPHSBNNJOHMBOHVBHFT w .PEVMBS"SDIJUFDUVSF w TFQBSBUFBOBMZ[JOHBOEDBQUVSJOHMPHJD w FBTJMZSFQMBDFBOBMZ[JOHMPHJD

%FTJHO1SJODJQMF w )PSJ[POUBM4DBMBCMF w BOBMZ[JOHMPHJDUFOETUPSFRVJSFNBOZ DPNQVUFSSFTPVSDFT w WPMVNFFGGFDUTIPVMETPMWFUIFQSPCMFN w
$16$PSF4DBMBCMF w CPUIBOBMZ[JOHBOEDBQUVSJOHMPHJDTIPVME CFDPSFTDBMBCMFGPSFGGJDJFODZ

%FTJHOPG4'5"1 /8*' )551*' 5-4*' 'MPX"CTUSBDUPS 'MPX $MBTTJpFS 5-4"OBMZ[FS
)551"OBMZ[FS )5511SPYZ 5$1BOE6%1 )BOEMFS pMUFSBOE DMBTTJpFS SVMF --PPQCBDL*' %# 'PSFOTJD *%4*14 FUD "QQMJDBUJPO 1SPUPDPM"OBMZ[FS FUD 5$1%FGBVMU*' 6%1%FGBVMU*' "OBMZ[FS1MBOF "CTUSBDUPS1MBOF $BQUVSFS 1MBOF 4'5"1$FMM *ODVCBUPS 'MPX *EFOUJpFS 'MPX 4FQBSBUPS 4FQBSBUPS 1MBOF TFQBSBUFEUSB⒏D 4'5"1$FMM --4OJ⒎FS 44- 1SPYZ FUD PUIFS4'5"1DFMMT *11BDLFU %FGSBHNFOUFS -#SJEHF NJSSPSJOH USB⒏D 1BDLFU'PSXBSEFS *1'SBHNFOU )BOEMFS EFGJOFEQMBOFT "OBMZ[FS1MBOF BQQMJDBUJPOMFWFMBOBMZ[FST 'PSFOTJD *%4*14 FUDʜ "CTUSBDUPS1MBOF GMPXBCTUSBDUJPO 4FQBSBUPS1MBOF GMPXTFQBSBUJPO $BQUVSFS1MBOF USBGGJDDBQUVSJOH PSEJOBSZUFDI VTFSTPG4'5"1JNQMFNFOUTIFSF XFJNQMFNFOUFE XFJNQMFNFOUFE

%FTJHOPG4'5"1 4'5"1$FMM*ODVCBUPS 4'5"1$FMM *ODVCBUPS 'MPX 4FQBSBUPS TFQBSBUFEUSB⒏D
PUIFS4'5"1DFMMT -#SJEHF 1BDLFU'PSXBSEFS *1'SBHNFOU )BOEMFS 1BDLFU'PSXBSEFS MBZFSCSJEHF MBZFSGSBNFDBQUVSF *1'SBHNFOU)BOEMFS IBOEMFGSBHNFOUFEQBDLFUT 'MPX4FQBSBUPS TFQBSBUFGMPXTUPNVMUJQMF*GT

%FTJHOPG4'5"1 4'5"1'MPX"CTUSBDUPS /8*' )551*' 5-4*' 'MPX"CTUSBDUPS 'MPX
$MBTTJpFS 5$1BOE6%1 )BOEMFS pMUFSBOE DMBTTJpFS SVMF --PPQCBDL*' 5$1%FGBVMU*' 6%1%FGBVMU*' 'MPX *EFOUJpFS *11BDLFU %FGSBHNFOUFS 5$1BOE6%1)BOEMFS 'MPX*EFOUJpFS *11BDLFU%FGSBHNFOUFS SFDPOTUSVDU5$1qPXT JEFOUJGZqPXTCZ*1BOEQPSU OPUIJOHUPEPGPS6%1 EFGSBHNFOU*1QBDLFUTJGOFFEFE

%FTJHOPG4'5"1 4'5"1'MPX"CTUSBDUPS /8*' )551*' 5-4*' 'MPX"CTUSBDUPS 'MPX
$MBTTJpFS 5$1BOE6%1 )BOEMFS pMUFSBOE DMBTTJpFS SVMF --PPQCBDL*' 5$1%FGBVMU*' 6%1%FGBVMU*' 'MPX *EFOUJpFS *11BDLFU %FGSBHNFOUFS 'MPX$MBTTJpFS DMBTTJGZqPXTCZ SFHVMBSFYQSFTTJPOT PVUQVUUPBCTUSBDUJPO*'T

*NQMFNFOUBUJPO w 4'5"1DFMMJODVCBUPS w $ w JUVTFTOFUNBQ BWBJMBCMFPO'SFF#4% w
4'5"1GMPXBCTUSBDUPS w $ w JUVTFTQDBQPSOFUNBQ w BWBJMBCMFPO-JOVY #4% BOE.BD04 w 4PVSDF$PEF w IUUQTHJUIVCDPN4'5"1 w -JDFOTF w DMBVTFT#4% VQEBUFEGSPNUIFQBQFS

1FSGPSNBODF&WBMVBUJPO Figure 8: Total Memory Usage of HTTP
Analyzer Figure 9: Packet Drop against CPS QBDLFUESPQBHBJOTUDPOOFDUJPOTQFSTFDPOE QDBQ , , ,

1FSGPSNBODF&WBMVBUJPO GPSXBSEJOHQFSGPSNBODFPG4'5"1DFMMJODVCBUPS .QQT
GSBHNFOUTJ[F CZUFT JEFBM ЋЍ ЋЌ ЋЌ ЋЍ e 14: Forwarding Performance of Cell Incubator risks are incurr Host-based I it is not suitab used in today’s power. Therefo operating with support the futu face of the flow implementation protocols. 7 Related Wireshark [38] Figure 11: CPU Load of Flow Abstractor versus Traffic Volume Figure 16 shows the CPU loads of the 15th CPU. At 5.95 Mpps, the load average was approximately 50%, but at 10.42 Mpps, the loads were close to 100%. More- over, at 14.88 Mpps, CPU resources were completely consumed. This limitation in forwarding performance was probably caused by the bias, which in turn was due o the flow director [10] of Intel’s NIC and its driver. The flow director cannot currently be controlled by user pro- grams on FreeBSD; thus, it causes bias depending on network flows. Note that the fairness regarding RSS queues s simply an implementation issue and is benchmarked or future work. Finally, the memory utilization of the cell incubator depends on the memory allocation strategy of netmap. The current implementation of the cell incubator requires approximately 700 MB of memory to conduct the exper- ments. 6 Discussion and Future Work Figure 12: Physical Memory Usage of Flow Ab (10K CPS) (C&Y (C&Y Ћ Ќ Ѝ DFMMJODVCBUPS Figure 13: Experimental Network of Cell Incu 6.1 Performance Improvements We plan to improve the performance of the flow tor in three aspects. (1) The UNIX domain socket can be replaced other mechanism such as a memory-mapped file o memory attach [6]; however, these mechanisms suitable for our approach, which abstracts flows Thus, new mechanisms for high-performance m passing, such as the zero-copy UNIX domain so zero-copy pipe, should be studied. (2) The flow abstractor currently uses the mallo UPЍ UPЌ UPЌBOEЍ Ћ Ќ Ѝ

0UIFS'FBUVSFT w --PPQCBDLJOUFSGBDFGPSFODBQTVMBUFEGMPXT w -PBECBMBODJOHNFDIBOJTNGPSBQQMJDBUJPO QSPUPDPMBOBMZTFST w 4FQBSBUJOHBOENJSSPSJOHNPEFTPG4'5"1DFMM JODVCBUPS w
4FFNPSFEFUBJOTJOPVSQBQFS

$PODMVTJPO w 8FQSPQPTFE4'5"1GPSBQQMJDBUJPOMFWFMUSBGGJD BOBMZTJT w 4'5"1IBTGPMMPXJOHGFBUVSFT w GMPXBCTUSBDUJPO w SVOOJOHPODPNNPEJUZIBSEXBSF
w NPEVMBSJUZ w TDBMBCJMJUZ w 8FTIPXFE4'5"1IBTBDIJFWFEIJHIQFSGPSNBODF JOPVSFYQFSJNFOUT

SF-TAP: Scalable and Flexible Traffic Analysis Platform running on Commodity Hardware

SF-TAP: Scalable and Flexible Traffic Analysis Platform running on Commodity Hardware

ytakano

More Decks by ytakano

Other Decks in Research

Featured

Transcript

4'5"14DBMBCMFBOE'MFYJCMF 5SBGGJD"OBMZTJT1MBUGPSN 3VOOJOHPO$PNNPEJUZ )BSEXBSF :VVLJ5BLBOP 3ZPTVLF.JVSB 4IJOHP:BTVEB ,VOJP"LBTIJ 5PNPZB*OPVF

5BCMFPG$POUFOUT .PUJWBUJPO 3FMBUFE8PSL %FTJHOPG4'5"1 *NQMFNFOUBUJPOPG4'5"1

.PUJWBUJPO w 1SPHSBNNBCMFBQQMJDBUJPOMFWFMUSBGGJDBOBMZ[FS w 8FXBOUʜ w UPXSJUFUSBGGJDBOBMZ[FSTJOBOZMBOHVBHFTTVDI BT1ZUIPO 3VCZ

.PUJWBUJPO w )JHITQFFEBQQMJDBUJPOMFWFMUSBGGJDBOBMZ[FS w 8FXBOUʜ w UPIBOEMFIJHICBOEXJEUIUSBGGJD w UPIBOEMFIJHIDPOOFDUJPOTQFSTFDPOE

.PUJWBUJPO w 3VOOJOHPO$PNNPEJUZ)BSEXBSF w 8FXBOUʜ w PQFOTPVSDFTPGUXBSF w OPUUPVTFFYQFOTJWFBQQMJBODFT

3FMBUFE8PSL #1'<64&/9"5$> OFUNBQ<64&/9"5$> %1%, QDBQ ("411<64&/9"5$> 4$"1<.$> MJCOJET MJCQSPUPJEFOU

)JHIMFWFM"SDIJUFDUVSF PG4'5"1 $16 $16 $16 $16 'MPX"CTUSBDUPS $16 $16

%FTJHO1SJODJQMF w 'MPX"CTUSBDUJPO w BCTUSBDUGMPXTCZBQQMJDBUJPOMFWFMQSPUPDPMT w QSPWJEFGMPXBCTUSBDUJPOJOUFSGBDFTMJLFEFW QSPDPS#1' w

%FTJHO1SJODJQMF w )PSJ[POUBM4DBMBCMF w BOBMZ[JOHMPHJDUFOETUPSFRVJSFNBOZ DPNQVUFSSFTPVSDFT w WPMVNFFGGFDUTIPVMETPMWFUIFQSPCMFN w

%FTJHOPG4'5"1 /8' )551' 5-4*' 'MPX"CTUSBDUPS 'MPX $MBTTJpFS 5-4"OBMZ[FS

%FTJHOPG4'5"1 4'5"1$FMMODVCBUPS 4'5"1$FMM ODVCBUPS 'MPX 4FQBSBUPS TFQBSBUFEUSB⒏D

%FTJHOPG4'5"1 4'5"1'MPX"CTUSBDUPS /8' )551' 5-4*' 'MPX"CTUSBDUPS 'MPX

%FTJHOPG4'5"1 4'5"1'MPX"CTUSBDUPS /8' )551' 5-4*' 'MPX"CTUSBDUPS 'MPX

*NQMFNFOUBUJPO w 4'5"1DFMMJODVCBUPS w $ w JUVTFTOFUNBQ BWBJMBCMFPO'SFF#4% w

1FSGPSNBODF&WBMVBUJPO Figure 8: Total Memory Usage of HTTP

1FSGPSNBODF&WBMVBUJPO GPSXBSEJOHQFSGPSNBODFPG4'5"1DFMMJODVCBUPS .QQT

0UIFS'FBUVSFT w --PPQCBDLJOUFSGBDFGPSFODBQTVMBUFEGMPXT w -PBECBMBODJOHNFDIBOJTNGPSBQQMJDBUJPO QSPUPDPMBOBMZTFST w 4FQBSBUJOHBOENJSSPSJOHNPEFTPG4'5"1DFMM JODVCBUPS w

$PODMVTJPO w 8FQSPQPTFE4'5"1GPSBQQMJDBUJPOMFWFMUSBGGJD BOBMZTJT w 4'5"1IBTGPMMPXJOHGFBUVSFT w GMPXBCTUSBDUJPO w SVOOJOHPODPNNPEJUZIBSEXBSF