Efficient Dynamic Flow Tracking for Packet Analyzers

Analyzing large amounts of traffic at the packet or flow level is an important part of managing and monitoring cloud network infrastructure. Common scenarios that require low-level packet analysis are troubleshooting problems, accounting traffic, and security applications such as intrusion detection systems or firewalls. Moreover, researchers often analyze traffic for scientific purposes. For such low-level traffic analyses, tracking flows is a feature required for both commercial and scientific purposes. However, there is no good shared library available to implement this functionality in an efficient, configurable, and dynamic way that is suitable for real-time analysis. We implement a high-performant generic flow tracker that can track millions of simultaenous flows based on arbitrarily complex definitions of a flow. We make this implementation available as open source in our traffic analysis tool FlowScope. The highly efficient realtime tracking of flows by arbitrarily complex user-defined flow criteria and filters is enabled by just-in-time (JIT) compilation of flow tracking rules. The code and evaluation scripts are available as free and open source at

[1]  Daniel Raumer,et al.  Optimizing latency and CPU load in packet processing systems , 2015, 2015 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS).

[2]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[3]  Georg Carle,et al.  Push away your privacy: Precise user tracking based on TLS client certificate authentication , 2017, 2017 Network Traffic Measurement and Analysis Conference (TMA).

[4]  Kenjiro Cho,et al.  Recursive lattice search: hierarchical heavy hitters revisited , 2017, Internet Measurement Conference.

[5]  Dimitar Dimitrov,et al.  A novel pflua-based OpenFlow implementation for VOSYSwitch , 2018, 2018 Third International Conference on Fog and Mobile Edge Computing (FMEC).

[6]  Dario Rossi,et al.  DPDKStat : 40 Gbps Statistical Traffic Analysis with Off-the-Shelf Hardware , 2016 .

[7]  Sebastian Gallenmüller,et al.  FlowScope: Efficient packet capture and storage in 100 Gbit/s networks , 2017, 2017 IFIP Networking Conference (IFIP Networking) and Workshops.

[8]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[9]  Tianzhu Zhang,et al.  FlowMon-DPDK: Parsimonious Per-Flow Software Monitoring at Line Rate , 2018, 2018 Network Traffic Measurement and Analysis Conference (TMA).