Design of an Application Programming Interface for IP Network Monitoring

Design of an Application Programming Interface for IP Network Monitoring Evangelos P. Markatos Kostas G. Anagnostakis Arne Øslebø Michalis Polychronakis Institute of Computer Science (ICS), Foundation for Research and Technology Hellas (FORTH) 1

Overview Network traffic monitoring programming interface Expressive interface for applications to specify their monitoring needs Based on generalized network flow abstraction Exploits features of the underlying hardware 2

Roadmap Network Monitoring. What is the problem? MAPI: a network Monitoring API MAPI implementation Experimental evaluation Summary and conclusions 3

Motivation What is the problem? No single monitoring interface is satisfactory for all applications Flow-level traffic summaries Do not provide detailed information Intrusion Detection, Application Identification (need payload data) Full packet capture Too much data, infeasible at high speed links Significant processing needs Case-specific solutions DAG cards, network processors, firewalls, Lack of a general-purpose monitoring abstraction 4

MAPI (1/2) Basic abstraction: network flow A sequence of packets that satisfy a given set of conditions Simple header-based filters, content inspection, protocol analysis, e.g. all the SYN packets directed to a particular web server or all the TCP packets between a pair of subnets that contain the string: /bin/perl.exe Richer than traditional flow model: The traffic between two hosts using specific ports 5

MAPI (2/2) Network flow is given a first-class status: Network flows are named entities Users can create/destroy flows, read packets from flows, apply functions to network flows Manipulated like UNIX pipes, sockets and files Flexible and expressive API Decouples programmers from the underlying hardware platform Portable code 6

Basic MAPI Calls fd = mapi_create_flow(char *dev, cond *c, mode m) fd: flow descriptor (unique id) c: BPF filter m: RAW, COOKED, HIERARCHICAL mapi_close_flow(flow_desc fd) mapi_apply_function(flow_dsc fd, func f,...) f: PACKET_COUNT, SAMPLE_PACKETS, STRING_SEARCH,... mapi_remove_function(flow_desc fd, func_desc f) mapi_get_next_packet(flow_desc fd) mapi_read_results(flow_desc fd, func f, void *res) 7

Predefined Functions Treat packets of different network flows in different ways Associate functions with each network flow Implemented functions: PACKET_COUNT, BYTE_COUNT SAMPLE_PACKETS STRING_SEARCH COMPUTE_HASH Support for custom functions 8

Example MAPI Code Count all the TCP packets destined to port 80 that contain the string /bin/perl.exe int fd, res; fd = mapi_create_flow( /dev/dag0, tcp port 80, RAW); mapi_apply_function(fd, STRING_SEARCH, /bin/perl.exe ); mapi_apply_function(fd, PACKET_COUNT); while(1){ sleep(1); mapi_read_results(fd, PACKET_COUNT, &res); /*... */ } 9

MAPI Implementation Main implementation on DAG card 1Gbps Ethernet - Full packet capture Circular buffer mapped in user space Zero-copy packet delivery No interrupts Precise timestamps NIC implementation NIC is being put in promiscuous mode Similar code with MAPI-over-DAG Uses libpcap to read packets 10

MAPI Daemon Architecture MAPId: multithreaded daemon Communication thread: receives requests, returns results Packet processing thread: processes each arriving packet 11

Experimental Evaluation DAG NIC What are we going to compare? MAPI PCAP MAPI-over-DAG PCAP-over-DAG MAPI-over-NIC PCAP-over-NIC MAPI-over-DAG with MAPI-over-NIC Synergistic effect of advanced API and specialized hardware MAPI-over-NIC/DAG with PCAP-over-NIC Show how much faster is MAPI compared to pcap How about PCAP-over-DAG? It does not support multiple flows - limited functionality 12

Basic Test: Simple Filtering (1/2) One monitoring application: create N flows, each flow consists of all packets destined to port N, count the packets and bytes of each flow 600 MAPI over DAG Max Loss Free Number of Flows 500 400 300 200 100 MAPI over NIC MAPI-over-DAG is somewhat better than MAPI-over-NIC due to reduced copying/kernel overhead 0 100 200 300 400 500 600 700 Mbit/s 13

Basic Test: Simple Filtering (2/2) MAPI-(over-PCAP)-over-NIC is better than PCAP-over-NIC (?) Polling vs non-polling. MAPI handles asynchrony better: 600 MAPI over DAG PCAP: Max Loss Free Number of Flows 500 400 300 200 100 MAPI over NIC Libpcap over NIC N pcap_open_live() pcap_setnonblock() pcap_dispatch() MAPI: N mapi_create_flow() But inside MAPId: 1 pcap_open_live() pcap_next() 0 100 200 300 400 500 600 700 Mbit/s 14

Sampling (1/2) N monitoring applications: Each application samples 1/20,000 packets Input traffic: 100 Mbps 100 PCAP: 80 - first copies all packets to all applications CPU Idle time % 60 40 20 MAPI over DAG MAPI over NIC Pcap over NIC - then each application samples MAPI: - first samples on behalf of each app. - then copies only the 0 0 5 10 15 20 25 30 Number of sampling applications sampled packets 15

Sampling (2/2) N monitoring applications: Each application samples 1/20,000 packets Input traffic: 500 Mbps 100 PCAP: 80 - first copies all packets to all applications CPU Idle time % 60 40 20 MAPI over DAG MAPI over NIC Pcap over NIC - then each application samples MAPI: - first samples on behalf of each app. - then copies only the 0 0 5 10 15 20 25 30 Number of sampling applications sampled packets 16

String Searching N monitoring applications: Each application searches for a different 8-byte string inside each packet. Input traffic: 100 Mbps 100 PCAP: 80 - first copies all packets to all applications CPU Idle time % 60 40 20 MAPI over DAG MAPI over NIC Pcap over NIC - then each application searches MAPI: - first searches for all the N strings - then copies only the 0 0 5 10 15 20 25 30 Number of string searching applications matched packets 17

Summary MAPI provides an expressive monitoring interface Intuitive set of operations Builds on a novel network flow abstraction Users can apply functions to flows MAPI has been implemented on DAG and on NIC cards Improves performance as the number and complexity of applications sharing the monitoring infrastructure increases Provides applications with just the right amount of information they need Can benefit from intelligent network components by pushing certain functions to hardware 18

Design of an Application Programming Interface for IP Network Monitoring thank you! Contact: Michalis Polychronakis: mikepo@ics.forth.gr Kostas G. Anagnostakis: anagnost@dsl.cis.upenn.edu Arne Øslebø: Arne.Oslebo@uninett.no Evangelos P. Markatos: markatos@ics.forth.gr Institute of Computer Science (ICS), Foundation for Research and Technology Hellas (FORTH) 19

Testbed The switch mirrors the traffic between Source and Destination to the Monitor PC 1460-byte UDP packets generated at a constant rate using iperf 20

String Searching (2/2) N monitoring applications: Each application searches for a different 8-byte string inside each packet. Input traffic: 500 Mbps 100 - All monitoring environments have 80 overhead CPU Idle time % 60 40 20 MAPI over DAG MAPI over NIC Pcap over NIC - MAPI is better than PCAP - MAPI-over-DAG is better than MAPI-over-NIC 0 0 5 10 15 20 25 30 Number of string searching applications 21

Packet Loss for Libpcap N monitoring applications: Each application samples 1/20,000 packets Input traffic: 100 Mbps 100 80 500 Mbit/s 100 Mbit/s - PCAP: Packet Loss ratio % 60 40 20 MAPI: - No packet loss 0 0 5 10 15 20 25 30 Number of sampling applications 22

Sampling N monitoring applications: Each application samples 1/10 packets Input traffic: 100 Mbps 100 PCAP: 80 - first copies all packets to all applications CPU Idle time % 60 40 20 MAPI over DAG MAPI over NIC Pcap over NIC - then each application samples MAPI: - first samples on behalf of each app. - then copies only the 0 0 5 10 15 20 25 30 Number of sampling applications sampled packets 23

Sampling N monitoring applications: Each application samples 1/10 packets Input traffic: 500 Mbps 100 PCAP: 80 MAPI over DAG MAPI over NIC - first copies all packets to all applications CPU Idle time % 60 40 Pcap over NIC - then each application samples MAPI: - first samples on 20 behalf of each app. - then copies only the 0 0 5 10 15 20 25 30 Number of sampling applications sampled packets 24

Ongoing Work Tree optimization Advanced cooking Admission control Loadable functions Support for scampi adapter 25