FloSIS: A Highly Scalable Network Flow Capture System for Fast Retrieval and Storage Efficiency

Network packet capture performs essential functions in network management such as attack analysis, network troubleshooting, and performance debugging. As the network edge bandwidth exceeds 10 Gbps, the demand for scalable packet capture and retrieval is rapidly increasing. However, existing software-based packet capture systems neither provide high performance nor support flow-level indexing for fast query response. This would either prevent important packets from being stored or make it too slow to retrieve relevant flows. In this paper, we present FloSIS, a highly scalable, software-based flow storing and indexing system. Flo-SIS is characterized as the following three aspects. First, it exercises full parallelism in multiple CPU cores and disks at all stages of packet processing. Second, it constructs two-stage flow-level indexes, which helps minimize expensive disk access for user queries. It also stores the packets in the same flow at a contiguous disk location, which maximizes disk read throughput. Third, we optimize storage usage by flow-level content deduplication at real time. Our evaluation shows that FloSIS on a dual octa-core CPU machine with 24 HDDs achieves 30 Gbps of zero-drop performance with real traffic, consuming only 0.25% of the space for indexing.

[1]  Sotiris Ioannidis,et al.  MIDeA: a multi-parallel intrusion detection architecture , 2011, CCS '11.

[2]  David Wetherall,et al.  A protocol-independent technique for eliminating redundant network traffic , 2000, SIGCOMM 2000.

[3]  Sangjin Han,et al.  PacketShader: a GPU-accelerated software router , 2010, SIGCOMM '10.

[4]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[5]  Sotiris Ioannidis,et al.  Gnort: High Performance Network Intrusion Detection Using Graphics Processors , 2008, RAID.

[6]  Vyas Sekar,et al.  SmartRE: an architecture for coordinated network-wide redundancy elimination , 2009, SIGCOMM '09.

[7]  George Varghese,et al.  EndRE: An End-System Redundancy Elimination Service for Enterprises , 2010, NSDI.

[8]  Dominik Schatzmann,et al.  Horizon extender: long-term preservation of data leakage evidence in web traffic , 2013, ASIA CCS '13.

[9]  Anja Feldmann,et al.  Enriching network security analysis with time travel , 2008, SIGCOMM '08.

[10]  Yibo Xue,et al.  PARA-SNORT : A MULTI-THREAD SNORT ON MULTI-CORE IA PLATFORM , 2009 .

[11]  Eunyoung Jeong,et al.  Comparison of caching strategies in modern cellular backhaul networks , 2013, MobiSys '13.

[12]  Luigi Rizzo,et al.  netmap: A Novel Framework for Fast Packet I/O , 2012, USENIX ATC.

[13]  Sungryoul Lee,et al.  Kargus: a highly-scalable software-based intrusion detection system , 2012, CCS.

[14]  Peter Desnoyers,et al.  Hyperion: High Volume Stream Archival for Retrospective Querying , 2007, USENIX Annual Technical Conference.

[15]  Farnam Jahanian,et al.  Resource-aware multi-format network security data storage , 2006, LSAD '06.

[16]  Srinivasan Seshan,et al.  Packet caches on routers: the implications of universal redundant traffic elimination , 2008, SIGCOMM '08.

[17]  Seungyeop Han,et al.  SSLShader: Cheap SSL Acceleration with Commodity Processors , 2011, NSDI.

[18]  Xenofontas A. Dimitropoulos,et al.  pcapIndex: an index for network packet traces with legacy compatibility , 2012, CCRV.

[19]  David Wetherall,et al.  A protocol-independent technique for eliminating redundant network traffic , 2000, SIGCOMM.

[20]  Luca Deri,et al.  10 Gbit line rate packet-to-disk using n2disk , 2013, INFOCOM Workshops.

[21]  Aditya Akella,et al.  Redundancy in network traffic: findings and implications , 2009, SIGMETRICS '09.

[22]  Theodore Johnson,et al.  Gigascope: a stream database for network applications , 2003, SIGMOD '03.