ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (6): 1300-1313.doi: 10.7544/issn1000-1239.2017.20160823

所属专题: 2017优青专题

• 网络技术 • 上一篇    下一篇

基于多核平台的高速网络流量实时捕获方法

令瑞林,李峻峰,李丹   

  1. (清华大学计算机科学与技术系 北京 100084) (lrl14@mails.tsinghua.edu.cn)
  • 出版日期: 2017-06-01
  • 基金资助: 
    国家“八六三”高技术研究发展计划基金项目(2015AA01A705,2015AA016102);国家自然科学基金优秀青年科学基金项目(61522205)

Realtime Capture of High-Speed Traffic on Multi-Core Platform

Ling Ruilin, Li Junfeng, Li Dan   

  1. (Department of Computer Science and Technology, Tsinghua University, Beijing 100084)
  • Online: 2017-06-01

摘要: 随着互联网上应用的丰富和网络带宽的增长,带来的安全问题也与日剧增,除了传统的垃圾邮件、病毒传播、DDoS攻击外,还出现了新型的隐蔽性强的攻击方式.网络探针工具是一种部署在局域网出口处的旁路设备,能够收集当前进出网关的全部流量并进行分析,而网络探针工具中最重要的模块就是数据包的捕获.传统的Linux网络协议栈在捕获数据包时有诸多性能瓶颈,无法满足高速网络环境的要求.介绍了基于零拷贝、多核并行化等技术的多种新型的数据包捕获引擎,并基于Intel DPDK平台设计并实现了一个可扩展的数据包捕获系统,它能够利用接收端扩展(receiver-side scaling, RSS)技术实现多核并行化的数据包捕获、模块化的上层处理流程.除此之外,还讨论了更有效、更公平的将数据包分发到不同的接收队列所应使用的Hash函数.经过初步的实验验证,该系统能够实现接近线速的收包并且多个CPU核心间实现负载均衡.

关键词: 数据包捕获, 接收端扩展, 多核, DPDK平台, Hash函数

Abstract: With the development of Internet application and the increase of network bandwidth, security issues become increasingly serious. In addition to the spread of the virus, spams and DDoS attacks, there have been lots of strongly hidden attack methods. Network probe tools which are deployed as a bypass device at the gateway of the intranet, can collect all the traffic of the current network and analyze them. The most important module of the network probe is packet capture. In Linux network protocol stack, there are many performance bottlenecks in the procedure of packets processing which cannot meet the demand of high speed network environment. In this paper, we introduce several new packet capture engines based on zero-copy and multi-core technology. Further, we design and implement a scalable high performance packet capture framework based on Intel DPDK, which uses RSS (receiver-side scaling) to make packet capture parallelization and customize the packet processing. Additionally, this paper also discusses more effective and fair Hash function by which data packet can be deliveried to different receiving queues. In evaluation, we can see that the system can capture and process the packets in nearly line-speed and balance the load between CPU cores.

Key words: packet capture, receiver-side scaling (RSS), multi-core, DPDK platform, Hash function

中图分类号: