基于多核平台的高速网络流量实时捕获方法

Realtime Capture of High-Speed Traffic on Multi-Core Platform

随着互联网上应用的丰富和网络带宽的增长,带来的安全问题也与日剧增,除了传统的垃圾邮件、病毒传播、DDoS攻击外,还出现了新型的隐蔽性强的攻击方式.网络探针工具是一种部署在局域网出口处的旁路设备,能够收集当前进出网关的全部流量并进行分析,而网络探针工具中最重要的模块就是数据包的捕获.传统的Linux网络协议栈在捕获数据包时有诸多性能瓶颈,无法满足高速网络环境的要求.介绍了基于零拷贝、多核并行化等技术的多种新型的数据包捕获引擎,并基于Intel DPDK平台设计并实现了一个可扩展的数据包捕获系统,它能够利用接收端扩展(receiver-side scaling,RSS)技术实现多核并行化的数据包捕获、模块化的上层处理流程.除此之外,还讨论了更有效、更公平的将数据包分发到不同的接收队列所应使用的Hash函数.经过初步的实验验证,该系统能够实现接近线速的收包并且多个CPU核心间实现负载均衡.

With the development of Internet application and the increase of network band width,security issues b e c o m e increasingly serious.In addition to the spread of the virus,s p a m s a n d D D o Sattacks,there have been lots of strongly hidden attack methods.N e t w o r k probe tools w h i c h aredeployed as a bypass device at the g a t e w a y of the intranet,can collect all the traffic of the currentn e t w o r k a n d analyze them.T h e m o s t important m o d u l e of the n e t w o r k probe is packet capture.InL i n u x n e t w o r k protocol stack,there are m a n y performance bottlenecks in the procedure of packetsprocessing w h i c h cannot m e e t the d e m a n d of high speed n e t w o r k environment.In this p a p e r,w eintroduce several n e w packet capture engines based o n zero-copy a n d multi-core technology.F u r t h e r,w e design a n d i m p l e m e n t a scalable high p erformance packet capture f r a m e w o r k based o n Intel D P D K,w h i c h uses R S S(receiver-side scaling)to m a k e packet capture parallelization a n d customize the packetprocessing.Additionally,this paper also discusses m o r e effective a n d fair H a s h function b y w h i c hdata packet can be deliveried to different receiving queues.In evaluation,w e can see that the s y s t e mcan capture an d process the packets in nearly line-speed a n d balance the load b e t w e e n C P U cores.