TY - GEN
T1 - Improving the performance of passive network monitoring applications using locality buffering
AU - Papadogiannakis, Antonis
AU - Antoniades, Demetres
AU - Polychronakis, Michalis
AU - Markatos, Evangelos P.
PY - 2007
Y1 - 2007
N2 - In this paper, we present a novel approach for improving the performance of a large class of CPU and memory intensive passive network monitoring applications, such as intrusion detection systems, traffic characterization applications, and NetFlow export probes. Our approach, called locality buffering, reorders the captured packets by clustering packets with the same destination port, before they are delivered to the monitoring application, resulting to improved code and data locality, and consequently to an overall increase in the packet processing throughput and to a decrease in the packet ioss rate. We have implemented locality buffering within the widely used libpcap packet capturing library, which allows existing monitoring applications to transparently benefit from the reordered packet stream without the need to change application code. Our experimental evaluation shows that locality buffering improves significantly the performance of popular applications, such as the Snort IDS, which exhibits a 40% increase in the packet processing throughput and a 60% improvement in packet loss rate.
AB - In this paper, we present a novel approach for improving the performance of a large class of CPU and memory intensive passive network monitoring applications, such as intrusion detection systems, traffic characterization applications, and NetFlow export probes. Our approach, called locality buffering, reorders the captured packets by clustering packets with the same destination port, before they are delivered to the monitoring application, resulting to improved code and data locality, and consequently to an overall increase in the packet processing throughput and to a decrease in the packet ioss rate. We have implemented locality buffering within the widely used libpcap packet capturing library, which allows existing monitoring applications to transparently benefit from the reordered packet stream without the need to change application code. Our experimental evaluation shows that locality buffering improves significantly the performance of popular applications, such as the Snort IDS, which exhibits a 40% increase in the packet processing throughput and a 60% improvement in packet loss rate.
UR - https://www.scopus.com/pages/publications/57849085719
U2 - 10.1109/MASCOTS.2007.28
DO - 10.1109/MASCOTS.2007.28
M3 - Conference contribution
AN - SCOPUS:57849085719
SN - 9781424418541
T3 - IEEE International Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems - Proceedings
SP - 151
EP - 157
BT - Proceedings of MASCOTS'07 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems
T2 - 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, MASCOTS'07
Y2 - 24 October 2007 through 26 October 2007
ER -