Towards 100 Gbit Flow-Based Network Monitoring
January 2016 • Presentation
In this presentation, the authors describe nProbe "cento," a software probe that tackles monitoring challenges that arose with the advent of 100-Gbit networks.
Monitoring a 100-Gbit network is a challenging activity, both in terms of packets per second and number of concurrent flows. Although computing performance has greatly increased over the past few years, it is not easy to adapt existing 10-Gbit probes' design at 100 Gbit. The demand of DPI-based traffic classification, as well the ability to combine on the same physical box both a flow-based probe and additional applications (e.g., an IDS), makes this task even more challenging. It is challenging because network administrators often combine network visibility with in-depth analysis of selected traffic flows (e.g., produced by compromised hosts or critical network resources). This presentation covers the design and implementation of nProbe "cento," a software probe designed from scratch to tackle new monitoring challenges that arose with the advent of 100-Gbit networks. Based on 10 years of lessons learned while developing nProbe, a popular software-based probe, cento has been designed from scratch to guarantee maximum packet processing performance and a clean design not affected by existing legacy software components. It can operate both on commodity hardware for multi-10-Gbit flow monitoring, and can exploit modern FPGA-based NICs for native 100-Gbit monitoring. Cento integrates a lightweight DPI layer as well zero-copy packet forwarding capabilities to steer selected packets’ egress from ethernet interfaces or applications running on the same box. This approach enables network administrators to combine onto a single box functionalities that are often implemented with multiple servers, thus saving money on costly high-speed network adapters and reducing the number of monitoring components.