Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Presentation

Towards 100 Gbit Flow-Based Network Monitoring

  • January 2016
  • In this presentation, the authors describe nProbe "cento," a software probe that tackles monitoring challenges that arose with the advent of 100-Gbit networks.
  • Network Situational Awareness
  • Publisher: CERT Division
  • Abstract

    Monitoring a 100-Gbit network is a challenging activity, both in terms of packets per second and number of concurrent flows. Although computing performance has greatly increased over the past few years, it is not easy to adapt existing 10-Gbit probes' design at 100 Gbit. The demand of DPI-based traffic classification, as well the ability to combine on the same physical box both a flow-based probe and additional applications (e.g., an IDS), makes this task even more challenging. It is challenging because network administrators often combine network visibility with in-depth analysis of selected traffic flows (e.g., produced by compromised hosts or critical network resources). This presentation covers the design and implementation of nProbe "cento," a software probe designed from scratch to tackle new monitoring challenges that arose with the advent of 100-Gbit networks. Based on 10 years of lessons learned while developing nProbe, a popular software-based probe, cento has been designed from scratch to guarantee maximum packet processing performance and a clean design not affected by existing legacy software components. It can operate both on commodity hardware for multi-10-Gbit flow monitoring, and can exploit modern FPGA-based NICs for native 100-Gbit monitoring. Cento integrates a lightweight DPI layer as well zero-copy packet forwarding capabilities to steer selected packets’ egress from ethernet interfaces or applications running on the same box. This approach enables network administrators to combine onto a single box functionalities that are often implemented with multiple servers, thus saving money on costly high-speed network adapters and reducing the number of monitoring components.

  • Download

Part of a Collection

FloCon 2016 Presentations