Exploiting Commodity Multi-core Systems
for Network Traffic Analysis
Luca Deri
ntop.org
Pisa, Italy
deri@ntop.org
Francesco Fusco
IBM Zurich Research Laboratory
Rüschlikon, Switzerland
ffu@zurich.ibm.com
Abstract
The current trend in computer processors is towards multi-core systems. Although operating systems were adapted a
long time ago to support multi-processing, kernel network layers have not yet taken advantage of this new technology.
The result is that packet capture, the cornerstone of every network monitoring application, is not efficient on modern
systems and its performance gets worse with an increasing number of cores.
This paper describes common pitfalls of network monitoring applications when used with multi-core systems, and
presents solutions to these problems. In addition, it covers the design and implementation of a new multi-core aware
packet capture kernel module that enables monitoring applications to scale with the number of cores, contrary to what
happens in most operating systems.
Keywords: Passive packet capture, multi-core processors, network traffic monitoring, Linux kernel, operating systems.
1. Introduction
The complexity of Internet-based services and advances in interconnection technologies increased the
demand for advanced monitoring applications designed for high-speed networks. The increased complexity
of monitoring tasks such as anomaly detection, intrusion detection and traffic classification, made software
extremely attractive because it is more flexible and less expensive than dedicated hardware. On the other
hand, analyzing high-speed network by means of software applications running on commodity off-the-shelf
(COTS) hardware presents major performance challenges. Packet capture is still one of the most resource
intensive tasks for the majority of passive monitoring applications. The industry followed three paths for
accelerating software applications by means of specialized hardware while keeping the software flexibility:
• Accelerating the packet capture pro