Upload File

wireshark ieee

5
Bottleneck Analysis o f Traffic Monitoring using Wireshark* Abes Dabir Ashraf Matrawy Department of Systems a n d Computer Engineering, Carleton University, Canada fadabir, amatrawy @,sce. carleton. ca Abstract This paper looks at the bottlenecks associated with packet capturing using commodity hardware i n local area networks (LANs) without losing data. Experiments were carried out using t h e Wireshark packet snifer t o write captured packets directly t o disk i n a Fast Ethernet network with various test setups. These experiments involved generating large packets a t almost line rate. Various sizes o f t h e kernel level buffer associated with th e packet capturing socket were also experimented with. A s well, a simple multithreaded design with user level buffers w a s proposed f o r th e capturing application an d experiments were carried o u t with this solution. T he results showed that increasing th e buffering ateither th e kernel level o r t h e application level c a n significantly improve capturing performance. T h e best results c a n b e achieved b y using a mix o f increased kernel socket buffering a n d a multithreaded capturing application with i ts o w n store a n d hold buffers. 1 . Introduction There a r e specialized network monitoring cards, called D a g cards [1 ] that c a n b e installed i n standard P Cs i n order t o capture packets. Such commercial grade products a r e mainly intended f o r broadband networks a n d could cost many thousands of dollars. O n the other hand i t i s possible t o build a n inexpensive software-based sniffer o n a high-end P C t o capture packets o n Fast Ethernet, o r potentially o n a Gigabit Ethernetnetwork. Many packet capturing applications u se libpcap [2], a prominent open source, cross-platform packet capturing library. O ne o f the most popular open source, libpcap-based, packet sniffer a n d protocol analyzers available f o r Unix-based a n d Windows machines is Wireshark (formerly known a s Ethereal) [3]. This paper involves packet capturing experiments i n which incoming packets a re written t o disk f o r later analysis. Packet loss w as encountered during t h e 978-1-4244-1841-1/08/$25.00 C2008 IEEE course o f these experiments and methods f o r alleviating i t were attempted. Although t h e results o f this paper ar e based o n t h e Wireshark sniffer, they a r e generic enough t o apply t o a l l libpcap-based applications. A n y work that c a n b e done t o optimize t h e bottlenecks i n PC s i n terms of packet capturing increases th e value of purely software-based packet sniffers a s a n alternative t o higher cost commercial solutions. This paper is organized as follows. Section 2 provides background information o n t h e packet capturing process using libpcap a n d Wireshark. Section 3 reviews some o f t h e related work i n this field. Section 4 provides a n analysis o f the problem. Section 5 is dedicated t o the experimental part o f this paper where t h e experiments, methodology, a nd results ar e presented. Finally, section 6 will provide a concluding discussion o n this work. 2 . Background I n order t o b e able t o analyze the bottlenecks involved i n capturing packets with Wireshark, i t i s important t o understand th e structure of t h e Wireshark application a s well a s h o w incoming packets ar e handled b y the different layers i n a n O S . T h e limitations imposed b y t h e physical components o f a commodity computer must also b e taken into consideration. 2 . 1 Wireshark Structure T h e Wireshark application comes with several executables along with t h e main Wireshark executable that displays t h e G U I application. O n e o f these executables i s Dumpcap, which i s a single threaded command line utility that captures packets a nd dumps them directly t o the disk without doing a n y processing. When a capture session i s initiated i n th e Wireshark GUI, i t launches a n instance of Dumpcap i n t h e console t o perform t h e actual capturing o f packets. Dumpcap informs t h e Wireshark G U I o f t h e file i t i s writing t h e packets t o . T h e Wireshark G U I reads newly captured packets i n th e file Dumpcap i s writing t o , analyzes them, a n d reports them t o t h e user. *This research wa s supported b y NSERC

Upload: varunraina20066409

Post on 06-Apr-2018

245 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: wireshark ieee

8/2/2019 wireshark ieee

http://slidepdf.com/reader/full/wireshark-ieee 1/5

B o t t l e n e c k A n a l y s i s o f T r a f f i c M o n i t o r i n g u s i n g W i r e s h a r k *

A b e s D a b i r A s h r a f M a t r a w yD e p a r t m e n t o f S y s t e m s a n d C o m p u t e r E n g i n e e r i n g , C a r l e t o n U n i v e r s i t y , C a n a d a

f a d a b i r , amatrawy @ , s c e . c a r l e t o n . ca

A b s t r a c t

T h i s p a p e r l o o k s a t t h e b o t t l e n e c k s a s s o c i a t e d w i t hp a c k e t c a p t u r i n g u s i n g c o m m o d i t y h a r d w a r e i n l o c a la r e a n e t w o r k s ( L A N s ) w i t h o u t l o s i n g d a t a .E x p e r i m e n t s w e r e c a r r i e d o u t u s i n g t h e W i r e s h a r kp a c k e t s n i f e r t o w r i t e c a p t u r e d p a c k e t s d i r e c t l y t o d i s ki n a F a s t E t h e r n e t n e t w o r k w i t h v a r i o u s t e s t s e t u p s .

T h e s e e x p e r i m e n t s i n v o l v e d g e n e r a t i n g l a r g e p a c k e t s a ta l m o s t l i n e r a t e . V a r i o u s s i z e s o f t h e k e r n e l l e v e l b u f f e ra s s o c i a t e d w i t h t h e p a c k e t c a p t u r i n g s o c k e t w e r e a l s oe x p e r i m e n t e d w i t h . A s w e l l , a s i m p l e m u l t i t h r e a d e d

d e s i g n w i t h u s e r l e v e l b u f f e r s w a s p r o p o s e d f o r t h ec a p t u r i n g a p p l i c a t i o n a n d e x p e r i m e n t s w e r e c a r r i e d o u t

w i t h t h i s s o l u t i o n . T h e r e s u l t s s h o w e d t h a t i n c r e a s i n gt h e b u f f e r i n g a t e i t h e r t h e k e r n e l l e v e l o r t h e a p p l i c a t i o nl e v e l c a n s i g n i f i c a n t l y i m p r o v e c a p t u r i n g p e r f o r m a n c e .T h e b e s t r e s u l t s c a n b e a c h i e v e d b y u s i n g a m i x o fi n c r e a s e d k e r n e l s o c k e t b u f f e r i n g a n d a m u l t i t h r e a d e d

c a p t u r i n g a p p l i c a t i o n w i t h i t s o w n s t o r e a n d h o l d

b u f f e r s .

1 . I n t r o d u c t i o n

T h e r e a r e s p e c i a l i z e d n e t w o r k m o n i t o r i n g c a r d s ,c a l l e d D a g c a r d s [ 1 ] t h a t c a n b e i n s t a l l e d i n s t a n d a r dP C s i n o r d e r t o c a p t u r e p a c k e t s . S u c h c o m m e r c i a lg r a d e p r o d u c t s a r e m a i n l y i n t e n d e d f o r b r o a d b a n dn e t w o r k s a n d c o u l d c o s t many t ho u s an ds o f d o l l a r s . On

t h e o t h e r h a n d i t i s p o s s i b l e t o b u i l d a n i n e x p e n s i v es o f t w a r e - b a s e d s n i f f e r o n a h i g h - e n d PC t o c a p t u r ep a c k e t s o n F a s t E t h e r n e t , o r p o t e n t i a l l y o n a G i g a b i tE t h e r n e t n e t w o r k .

Many p a c k e t c a p t u r i n g a p p l i c a t i o n s u s e l i b p c a p [ 2 ] ,a p r o m i n e n t o p e n s o u r c e , c r o s s - p l a t f o r m p a c k e tc a p t u r i n g l i b r a r y . One o f t h e m o s t p o p u l a r o p e n s o u r c e ,l i b p c a p - b a s e d , p a c k e t s n i f f e r a n d p r o t o c o l a n a l y z e r sa v a i l a b l e f o r U n i x - b a s e d a n d W i n d o w s m a c h i n e s i sW i r e s h a r k ( f o r m e r l y k n o w n a s E t h e r e a l ) [ 3 ] .

T h i s p a p e r i n v o l v e s p a c k e t c a p t u r i n g e x p e r i m e n t s i nw h i c h i n c o m i n g p a c k e t s a r e w r i t t e n t o d i s k f o r l a t e ra n a l y s i s . P a c k e t l o s s w a s e n c o u n t e r e d d u r i n g t h e

9 7 8 - 1 - 4 2 4 4 - 1 8 4 1 - 1 / 0 8 / $ 2 5 . 0 0 C 2 0 0 8 I E E E

c o u r s e o f t h e s e e x p e r i m e n t s a n d m e t h o d s f o r a l l e v i a t i n gi t w e r e a t t e m p t e d . A l t h o u g h t h e r e s u l t s o f t h i s p a p e r a r eb a s e d o n t h e W i r e s h a r k s n i f f e r , t h e y a r e g e n e r i c e n o u g ht o a p p l y t o a l l l i b p c a p - b a s e d a p p l i c a t i o n s .

Any w o r k t h a t c a n b e d o n e t o o p t i m i z e t h eb o t t l e n e c k s i n P C s i n t e r m s o f p a c k e t c a p t u r i n gi n c r e a s e s t h e v a l u e o f p u r e l y s o f t w a r e - b a s e d p a c k e t

s n i f f e r s a s a n a l t e r n a t i v e t o h i g h e r c o s t c o m m e r c i a ls o l u t i o n s .

T h i s p a p e r i s o r g a n i z e d a s f o l l o w s . S e c t i o n 2

p r o v i d e s b a c k g r o u n d i n f o r m a t i o n o n t h e p a c k e tc a p t u r i n g p r o c e s s u s i n g l i b p c a p a n d W i r e s h a r k . S e c t i o n3 r e v i e w s s o m e o f t h e r e l a t e d w o r k i n t h i s f i e l d .S e c t i o n 4 p r o v i d e s a n a n a l y s i s o f t h e p r o b l e m . S e c t i o n5 i s d e d i c a t e d t o t h e e x p e r i m e n t a l p a r t o f t h i s p a p e r

w h e r e t h e e x p e r i m e n t s , m e t h o d o l o g y , a n d r e s u l t s a r ep r e s e n t e d . F i n a l l y , s e c t i o n 6 w i l l p r o v i d e a c o n c l u d i n gd i s c u s s i o n o n t h i s w o r k .

2 . B a c k g r o u n d

I n o r d e r t o b e a b l e t o a n a l y z e t h e b o t t l e n e c k si n v o l v e d i n c a p t u r i n g p a c k e t s w i t h W i r e s h a r k , i t i s

i m p o r t a n t t o u n d e r s t a n d t h e s t r u c t u r e o f t h e W i r e s h a r k

a p p l i c a t i o n a s w e l l a s how i n c o m i n g p a c k e t s a r eh a n d l e d b y t h e d i f f e r e n t l a y e r s i n a n O S . T h el i m i t a t i o n s i m p o s e d b y t h e p h y s i c a l c o m p o n e n t s o f ac o m m o d i t y c o m p u t e r m u s t a l s o b e t a k e n i n t oc o n s i d e r a t i o n .

2 . 1 W i r e s h a r k S t r u c t u r e

T h e W i r e s h a r k a p p l i c a t i o n c o m e s w i t h s e v e r a le x e c u t a b l e s a l o n g w i t h t h e m a i n W i r e s h a r k e x e c u t a b l et h a t d i s p l a y s t h e G U I a p p l i c a t i o n . O n e o f t h e s ee x e c u t a b l e s i s D u m p c a p , w h i c h i s a s i n g l e t h r e a d e d

c o m m a n d l i n e u t i l i t y t h a t c a p t u r e s p a c k e t s a n d d u m p st h e m d i r e c t l y t o t h e d i s k w i t h o u t d o i n g a n y p r o c e s s i n g .

Wh e n a c a p t u r e s e s s i o n i s i n i t i a t e d i n t h e W i r e s h a r kG U I , i t l a u n c h e s a n i n s t a n c e o f D u m p c a p i n t h e c o n s o l et o p e r f o r m t h e a c t u a l c a p t u r i n g o f p a c k e t s . D u m p c a pi n f o r m s t h e W i r e s h a r k GUI o f t h e f i l e i t i s w r i t i n g t h ep a c k e t s t o . T h e W i r e s h a r k GUI r e a d s n e w l y c a p t u r e dp a c k e t s i n t h e f i l e D u m p c a p i s w r i t i n g t o , a n a l y z e st h e m , a n d r e p o r t s t h e m t o t h e u s e r .

* T h i s r e s e a r c h w a s s u p p o r t e d b y NSERC

1 5 8

Page 2: wireshark ieee

8/2/2019 wireshark ieee

http://slidepdf.com/reader/full/wireshark-ieee 2/5

2 . 2 F l o w o f P a c k e t s t h r o u g h t h e S y s t e m

W i r e s h a r k u s e s t h e l i b p c a p l i b r a r y t o p e r f o r m t h el o w l e v e l w o r k o f c a p t u r i n g p a c k e t s . T h e d i a g r a m i nf i g u r e 1 d i s p l a y s t h e t y p i c a l f l o w o f p a c k e t s a s t h e ya r r i v e f r o m t h e n e t w o r k u p t o t h e p o i n t w h e r e t h e y a r ew r i t t e n t o d i s k .A s y s t e m s u c h a s t h e o n e d i s p l a y e d i n f i g u r e 1 u s e s

w h a t i s c a l l e d a 2 - c o p y p r o c e s s [ 4 ] . P a c k e t s a r r i v i n g a tt h e NI C a r e c o p i e d t o t h e d e v i c e d r i v e r m e m o r y . I f t h ep a c k e t s n e e d t o b e c o p i e d o n e m o r e t i m e b e f o r e t h e u s e r

a p p l i c a t i o n c a n a c c e s s t h e m , t h e n a 1 - c o p y p r o c e s s i so b t a i n e d . T y p i c a l l y t h i s c o p y w o u l d b e i n t o a k e r n e lb u f f e r w h i c h t h e u s e r a p p l i c a t i o n c a n a l s o a c c e s s . M o s ta p p l i c a t i o n s u s e a 2 - c o p y p r o c e s s w h e r e t h e p a c k e t s a r ec o p i e d f r o m t h e k e r n e l b u f f e r i n t o a u s e r b u f f e r f o r t h ea p p l i c a t i o n t o a c c e s s .

U s e r L e v e l

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ . . . . . , _ , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . In L i n u x k e r n e l s 2 . 2 . e r[] a n d i oler s u c h . a s . F e d o r a~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ . . . . . . . . . . . . . . . . . . . . . . .~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ . . . . .. . . . . . . . . . . . . . .. . . . . . . . . . - t . - . . - . . - .

e r n e lLevel a " P A . . . . . . C K ET s o

K e r n e l B u f f e r s

. . . . . . . . . . . . j . . i i i i a iF e d o r a . . . . . . . . . . . . . . . . . . . . . . . .o r eh e s i z e o f e a f . . . e rite.

N e t w o r kP a c k e t s

F i g u r e 1 . F l o w o f p a c k e t s t h r o u g h t h e s y s t e m

I n L i n u x k e r n e l s 2 . 2 . [ . x ] a n d l a t e r s u c h a s F e d o r a

C o r e 6 ' s k e r m e l , l i b p c a p u s e s a " P F L b P A C K E T " s o c k e tw h i c h b y p a s s e s m o s t p a c k e t p r o t o c o l p r o c e s s i n g d o n e

b y t h e k e f u e l [ 5 ] . E a c h s o c k e t h a s t w o k e t e l b u f f e r sa s s o c i a t e d w i t h i t f o r r e a d i n g a n d w r i t i n g . B y d e f a u l t i nF e d o r a C o r e 6 t h e s i z e o f e a c h b u f f e r i s 1 0 9 5 6 8 b y t e s .W i n p c a p [ 6 ] , t h e W i n d o w s p o r t o f l i b p c a p , a l l o w s t h es i z e o f t h e k e r n e l b u f f e r a s s o c i a t e d w i t h t h e c a p t u r es o c k e t t o b e m o d i f i e d b y t h e u s e r . L i b p c a p d o e s n o t

p r o v i d e s u c h f u n c t i o n a l i t y , a l t h o u g h i n L i n u x t h es e t s o c k o p t ( ) f u n c t i o n c a n b e u s e d t o a c h i e v e t h i s . S i n c el i b p c a p h a s f u l l c o n t r o l o v e r t h e o p e n e d s o c k e t , o n l y i t

c a n m o d i f y t h e b u f f e r s i z e a n d t h e r e f o r e , i t i s n ' t

p o s s i b l e f o r l i b p c a p - b a s e d a p p l i c a t i o n s t o m a n i p u l a t et h e s o c k e t ' s k e r n e l b u f f e r s i z e d i r e c t l y . H o w e v e r , a r o o t

u s e r c a n m o d i f y t h e g l o b a l v a r i a b l e s" ~ n e t . o r e . r m e m _ m a x " ' a n d " n e t . c o r e . r m e m _ d e f a u l t "u s i n g t h e " s y s c t l " command t o e s t a b l i s h t h e d e f a u l tb u f f e r s i z e f o r a l l s o c k e t s o p e n e d i n t h e s y s t e m .

I n W i r e s h a r k a n d s i m i l a r s n i f f e r s , a t u s e r l e v e l t h ep a c k e t s a r e c o p i e d f r o m t h e k e r n e l b u f f e r i n t o a b u f f e rc r e a t e d b y l i b p c a p w h e n a l i v e c a p t u r e s e s s i o n i ss t a r t e d . T h i s b u f f e r o n l y h o l d s a s i n g l e p a c k e t a t a t i m e

f o r t h e a p p l i c a t i o n t o p r o c e s s b e f o r e t h e n e x t p a c k e t i s

c o p i e d i n t o i t . I f t h e a p p l i c a t i o n c h o o s e s t o w r i t e t h ep a c k e t t o d i s k u s i n g t h e C s t a n d a r d l i b r a r y ' s " f w r i t e "f u n c t i o n , t h e p a c k e t i s c o p i e d i n t o a n o t h e r b u f f e r w h i c hm u s t b e f i l l e d b e f o r e s t d i o m a k e s a s y s t e m c a l l t o w r i t ei t s d a t a t o d i s k . T h i s b u f f e r i n g i s d o n e t o i n c r e a s e t h ed i s k w r i t i n g e f f i c i e n c y b y w r i t i n g a b a t c h o f d a t ai n s t e a d o f p o s s i b l y many s m a l l c h u n k s a t a t i m e . T h e

d e f a u l t s i z e f o r t h i s b u f f e r i s 8 1 9 2 b y t e s a n d i s c r e a t e dw h e n a f i l e i s c r e a t e d / o p e n e d f o r w r i t i n g u s i n g t h e C

s t a n d a r d l i b r a r y .F i n a l l y , t h e o p e r a t i n g s y s t e m i t s e l f may i m p o s e

a n o t h e r l e v e l o f b u f f e r i n g a t t h e f i l e s y s t e m l e v e l f o rw r i t i n g d a t a t o d i s k .

2 . 3 S p e e d o f V a r i o u s PC C o m p o n e n t s

A t y p i c a l 1 0 0 M b p s NI C c a r d c a n u s u a l l y h a n d l et r a f f i c r a t e s i n t h e h i g h 9 0 M b p s r a n g e w i t h o u t d r o p p i n gp a c k e t s . A g i g a b i t NI C c a r d w i l l s t a r t t o d r o p p a c k e t sa t a r o u n d t h e 6 0 0 - 7 0 0 M p b s r a n g e [ 7 ] .

O n c e p a c k e t s a r r i v e a t t h e NI C c a r d t h e y m u s t b em o v e d t o m a i n memory o v e r t h e s y s t e m b u s . A s i n g l ep a c k e t may b e t r a n s f e r r e d o v e r t h e b u s s e v e r a l t i m e sd e p e n d i n g o n t h e n u m b e r o f c o p i e s t h a t t a k e p l a c e . T h eP C I b u s h a s a t h e o r e t i c a l maximum t r a n s f e r r a t e o f

1 3 3 M B / s ; h o w e v e r a c t u a l t r a n s f e r r a t e s a r e n o m o r et h a n 4 0 - 5 0 M B / s b e c a u s e a d e v i c e c a n o n l y h a v e c o n t r o lo v e r t h e b u s f o r a c e r t a i n n u m b e r o f c y c l e s b e f o r eh a v i n g t o r e l i n q u i s h c o n t r o l [ 8 ] . T h i s r a t e c a n n o t

h a n d l e m o r e t h a n F a s t E t h e r n e t . P C I E x p r e s s b u s h a s at h e o r e t i c a l maximum t r a n s f e r r a t e o f 8 G B / s o v e r 3 2

l a n e s . Some Dag n e t w o r k m o n i t o r i n g c a r d s [ 1 ] u s e t h i sb u s t o c a p t u r e 1 0 G b p s t r a f f i c .

I f p a c k e t s a r e o n l y b e i n g w r i t t e n t o d i s k f o r l a t e ra n a l y s i s , a r e a s o n a b l y f a s t CPU a n d m a i n memorys h o u l d n o t b e p e r f o r m a n c e b o t t l e n e c k s . T h e s l o w e s tc o m p o n e n t o f a t y p i c a l s y s t e m i s t h e d i s k d r i v e .T y p i c a l P C s t o d a y h a v e SATA h a r d d r i v e s t h a t u n d e ri d e a l b e n c h m a r k i n g c o n d i t i o n s c a n a c h i e v e w r i t e s p e e d so f a f e w t e n s o f m e g a b y t e s p e r s e c o n d .

3 . R e l a t e d W o r k

T h e r e a r e a n u m b e r o f e n h a n c e m e n t s i n W i n p c a pw h i c h a r e n o t p r e s e n t i n l i b p c a p . O n e o f t h e s e i s t h ed u m p t o d i s k c a p a b i l i t y w h i c h a l l o w s W i n p c a p t o w r i t e

p a c k e t s t o d i s k d i r e c t l y f r o m t h e k e r n e l b u f f e r w i t h o u tg o i n g t h r o u g h t h e u s e r l e v e l a p p l i c a t i o n [ 4 ] . T h i s

a p p r o a c h r e d u c e s t h e n u m b e r o f s y s t e m c a l l s ,p r o c e s s i n g o v e r h e a d , a n d a l l o w s f o r g r e a t e r e f f i c i e n c yw h e n r e c o r d i n g p a c k e t s f o r l a t e r a n a l y s i s .

A n o t h e r a p p r o a c h t a k e n b y t h e l i b p c a p - m m a pp r o j e c t [ 9 ] t o i n c r e a s e p e r f o r m a n c e i s t o s h a r e a s i n g l eb u f f e r b e t w e e n t h e k e r n e l s p a c e a n d t h e u s e r s p a c e

1 5 9

Page 3: wireshark ieee

8/2/2019 wireshark ieee

http://slidepdf.com/reader/full/wireshark-ieee 3/5

a p p l i c a t i o n . T h i s p r o j e c t m a i n t a i n s a m o d i f i e d v e r s i o no f t h e l i b p c a p l i b r a r y .

When a p a c k e t a r r i v e s , a n i n t e r r u p t i s r a i s e d t os e r v i c e t h e p a c k e t . When d e a l i n g w i t h a v e r y h i g hi n c o m i n g p a c k e t r a t e t h e n u m b e r o f i n t e r r u p t s r a i s e d p e r

p a c k e t c a n b e o v er wh e l m i n g . T he r e h a s b e e n s o m ew o r k d o n e i n t h e a r e a o f i n t e r r u p t d e l a y i n g a n d d e v i c e

p o l l i n g i n o r d e r t o r e d u c e o r e v e n e l i m i n a t e t h e n u m b e ro f i n t e r r u p t s p e r p a c k e t [ 1 0 , 1 1 , 1 2 ] .

Dag c a r d s [ 1 ] w e r e p r e v i o u s l y m e n t i o n e d i n t h i sr e p o r t . T h e s e a r e h i g h p e r f o r m a n c e n e t w o r km o n i t o r i n g c a r d s t h a t c a n b e i n s t a l l e d i n c o m m o d i t yP C s . T h e s e c a r d s c o m e i n v a r i o u s v e r s i o n s a n d t h ef a s t e s t o n e s s u pp or t 1 0 G b p s r a t e s . S i n c e t h e s e c a r d s a r es p e c i a l i z e d h a r d w a r e , t h e y a r e n o t a d d r e s s e d b y t h i sr e p o r t . H o w e v e r , t h e r e i s w o r k b e i n g d o n e i n [ 1 3 ] t oi m p r o v e t h e a r c h i t e c t u r e o f t h e s e c a r d s i n o r d e r t o a l l o w

f o r d i s t r i b u t i n g t h e f l o w o f i n c o m i n g p a c k e t s a m o n gd i f f e r e n t c o n s u m e r s . T h e i r w o r k may a l s o b ea p p l i c a b l e t o com m o n NIC c a r d s .

A n o t h e r a p p r o a c h t o h a n d l i n g h i g h s pe e d p a c ke ts t r e a m s a s s u g g e s t e d b y [ 6 ] a n d o t h e r s i s t o s p l i t t h eh i g h s pe e d p a c k e t s t r e a m i n t o m u l t i p l e s l o w e r s t r e a m s

a n d s e n d i n g e a c h o n e t o a s e p a r a t e n o d e f o r p r o c e s s i n g .I t i s a l s o w i d e l y r e c o g n i z e d t h a t i f t h e i n c o m i n g p a c k e ts t r e a m i s f a s t e r t h a n t h e w r i t e s p e e d o f a s i n g l e d i s k ,a r r a y s o f d i s k s s h o u l d b e u s e d w i t h p a r a l l e l w r i t eo p e r a t i o n s t o a c h i e v e a f a s t e r e f f e c t i v e w r i t e s p e e d .

4 . A n a l y s i s

B a s e d o n t h e a n a l y s i s i n s e c t i o n 2 . 3 , i t w a ss u s p e c t e d t h a t w r i t i n g p a c k e t s t o t h e d i s k i s t h e

b o t t l e n e c k . Much o f t h e e x p e r i m e n t s i n s e c t i o n 5 a r ef o c us ed o n u s i n g b u f f e r i n g a t d i f f e r e n t l e v e l s ( k e r n e la n d u s e r l e v e l ) , a n d w i t h v a r i o u s s i z e s t o d e t e r m i n e how

m u c h o f a n i m p a c t t h i s w o u l d h a v e o n i m p r o v i n g t h en u m b e r o f p a c k e t s s u c c e s s f u l l y w r i t t e n t o d i s k .

S i n c e Dumpcap i s a s i n g l e t h r e a d e d a p p l i c a t i o n , i t

w a s s u s p e c t e d t h a t w h i l e i t i s b u s y w r i t i n g t o d i s k ,b e c a u s e i t i s b l o c k e d b y t h e I O c a l l , i t i s u n a b l e t oh a n d l e n e w l y a r r i v i n g p a c k e t s d u e t o t h e s m a l l s i z e o f

t h e k e r n e l b u f f e r w h i c h q u i c k l y f i l l s u p .One o f t h e s o l u t i o n s a t t e m p t e d w a s t o u s e b u f f e r i n g

i n t h e u s e r l e v e l a p p l i c a t i o n . U s i n g a s i z e a b l e p o r t i o no f t h e RAM f o r b u f f e r s t o o v e r c o m e t h e b o t t l e n e c k i s i n

a c c or da n c e w i t h V a r g h e s e ' s f o u r t h p r i n c i p l e ( P 4 c )w h i c h a d v o c a t e s e x p l o i t i n g e x i s t i n g h a r d w a r e [ 1 4 ] i no r d e r t o s p ee du p n e t wo r k i n g o p e r a t i o n s . T h e D u m p c a pc o d e w a s m o di f i ed t o i n c l u d e t w o b u f f e r s , a s s h o w n i nf i g u r e 2 , s i m i l a r t o t h e s t o r e a n d h o l d k e r n e l l e v e lb u f f e r s i n t h e o r i g i n a l B e r k l e y P a c k e t F i l t e r m o d u l e [ 4 ] .

T h e s t o r e b u f f e r i s u s e d t o r e t a i n t h e i n c o m i n gp a c k e t s u n t i l a s i z e a b l e a m o u n t h a s b e e n b u f f e r e d a n d i sr e a d y t o b e w r i t t e n t o t h e d i s k . T h e h o l d b u f f e r

c o n t a i n s t h e p a c k e t s t h a t a r e b e i n g w r i t t e n t o t h e d i s k .I n i t i a l l y b o t h b u f f e r s w o u l d b e e m p t y a n d p a c k e t sr e c e i v e d b y Dumpcap w o u l d b e w r i t t e n t o t h e s t o r eb u f f e r u n t i l i t b e c o m e s f i l l e d . A t t h a t p o i n t t h e s t o r eb u f f e r b e c o m e s t h e ne w h o l d b u f f e r a n d i t s c o n t e n t s a r ew r i t t e n t o t h e d i s k . T h e o l d h o l d b u f f e r now b e c o m e st h e s t o r e b u f f e r a n d i s u s e d t o b u f f e r i n c o m i n g p a c k e t sw h i l e t h e p r e v i o u s l y b u f f e r e d p a c k e t s i n t h e h o l d b u f f e ra r e b e i n g w r i t t e n t o t h e d i s k .

T h e m o d i f i e d Dumpcap c o d e i n c l u d e d t w o t h r e a d s .T h e m a i n t h r e a d w a s r e s p o n s i b l e f o r r e c e i v i n g p a c k e t sa n d b u f f e r i n g t h e m , w h i l e t h e s e c o n d t h r e a d w a sr e s p o n s i b l e f o r w r i t i n g d a t a t o t h e d i s k w h e n t h e s t o r eb u f f e r g e t s f i l l e d , a n d s i g n a l i n g t h e m a i n t h r e a d w h e n i t

w a s d o n e . S y n c h r o n i z a t i o n b e t w e e n t h e t w o t h r e a d sw a s a c h i e v e d u s i n g t w o t h r e a d s e m a p h o r e s . W i t h t h i sa d d i t i o n a l l e v e l o f b u f f e r i n g , t h e w r i t e b u f f e r i n g d o n eb y s t d i o i s n o l o n g e r n e e de d a n d w a s d i s a b l e d t o k e e pt h e o v e r a l l n u m b e r o f b u f f e r s t h e p a c k e t p a s s e s t h r o u g ht h e s a m e a s b e f o r e .

P a c k e t s

Mi I l l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F i g u r e 2 . B u f f e r i n g m e t h o d a d d e d t o Dumpcap

5 . E x p e r i m e n t s a n d R e s u l t s

5 . 1 N e t w o r k S e t u p

T h e n e t w o r k s e t u p a n d e q u i pm e n t u s e d f o rg e n e r a t i n g a n d c a p t u r i n g p a c k e t s a r e s h o w n i n f i g u r e 3 .

C r o s s - O v e r C a b l e 1

( T r a f f i c G e n e r a t o r ) ( T r a f f i c C a p t u r e )

F e d o r a C o r e 6 F e d o r a C o r e 61 . 5 G H z P e n t i u m M , 512MB Ra m C e n t r i n o D u o T 2 0 5 0 , 1G B Ra m

5400RPM P ATA H D 5400RPM SATA HD

F i g u r e 3 . N e t w o r k s e t u p f o r g e n e r a t i o n a n dc a p t u r i n g p a c k e t s

5 . 2 Hard D r i v e P e r f o r m a n c e

B e n c h m a r k s w e r e c a r r i e d o u t o n t h e h a r d d i s k o f t h el a p t o p u s e d f o r c a p t u r i n g p a c k e t s t o g e t a n i d e a o f t h ew r i t e s p e e d t h a t t h e d r i v e c a n a c h i e v e u n d e r i d e a lc o n d i t i o n s . A b e n c h m a r k p e r f o r m i n g o n l y s e q u e n t i a lw r i t e s a c h i e v e d a w r i t e s p e e d o f 3 3 . 3 1 M B / s . A n o t h e rt e s t w a s r u n i n v o l v i n g a s m a l l a m o u n t ( 1 0 0 % ) o f

1 6 0

Page 4: wireshark ieee

8/2/2019 wireshark ieee

http://slidepdf.com/reader/full/wireshark-ieee 4/5

c o n c u r r e n t r e a d i n g t o d e t e r m i n e how m u c h i n f l u e n c e i tw o u l d h a v e o n t h e s pe e d o f t h e w r i t e o p e r a t i o n . T h i s

t e s t a c h i e v e d a w r i t e s p e e d o f o n l y 1 7 . 0 3 M B / s . C l e a r l ye v e n a s m a l l a m o u n t o f c o n c u r r e n t r e a d i n g c a n

s i g n i f i c a n t l y l o w e r t h e w r i t e s p e e d .T h e d e s i g n o f W i r e s h a r k GUI i s s u c h t h a t w h i l e

Dumpcap i s w r i t i n g p a c k e t s t o t h e d i s k , t h e GUI

c o m p o n e n t c o n c u r r e n t l y r e a d s t h e s t o r e d p a c k e t s f r o mt h e d i s k t o p r o c e s s a n d d i s p l a y s t a t i s t i c s t o t h e u s e r .T h i s i s c l e a r l y n o t a d e s i r a b l e a p p r o a c h w h e n d e a l i n gw it h h ig h p a c k e t r a t e s . S i n c e t h e e x p e r i m e n t s i n t h i ss e c t i o n u s e Dumpcap o n l y w i t h o u t t h e W i r e s h a r k GUI

c o m p o n e n t , t h e d i s c u s s i o n a b o v e i s n o t a c o n c e r n .

5 . 3 P a c k e t G e n e r a t i o n M e t h o d o l o g y

T h e e x p e r i m e n t s c a r r i e d o u t u t i l i z e d a p a c k e t s i z e o f1 0 7 0 b y t e s . D u r i n g e a c h i n d i v i d u a l t e s t , r o u g h l y 1GB

o f d a t a w a s g e n e r a t e d u s i n g T c p r e p l a y [ 1 5 ] f r o m o n e

l a p t o p t o w a r d s t h e o t h e r . S i n c e t h e c a p t u r e d p a c k e t s

w e r e n o t b e i n g a n a l y z e d a t t h e d e s t i n a t i o n , o n l y t h e s i z eo f t h e p a c k e t s i s r e l e v a n t a n d n o t t h e p r o t o c o l o rc o n t e n t s . T h e t r a n s m i t t i n g l a p t o p w a s a b l e t o g e n e r a t e

p a c k e t s a t a r a t e o f 1 1 . 7 M B / s ( 9 3 . 6 M b p s ) w i t h o u t

e x h a u s t i n g t h e C P U . T h e r e f o r e , t h e g e n e r a t i o n r a t e w a sn o t b e i n g l i m i t e d b y t h e C PU p o w e r . I t i s p o s s i b l e t h a ti t w a s b e i n g l i m i t e d b y t h e n e t w o r k c a r d , o r s o m e o t h e ra s p e c t o f t h e s y s t e m .

5 . 4 P a c k e t C a p t u r i n g R e s u l t s

T a b l e 1 d i s p l a y s t h e r e s u l t s o f t h e p a c k e t c a p t u r i n ge x p e r i m e n t s c a r r i e d o u t w i t h D u m p c a p . E a c h c o l u m n

o f t a b l e 1 r e p r e s e n t s a d i f f e r e n t t e s t s e t u p . E a c hi n d i v i d u a l t e s t w a s r u n 1 5 s e p a r a t e t i m e s a n d t h en u m b e r o f d r o p p e d p a c k e t s r e p o r t e d b y t h e l i b p c a pl i b r a r y w a s r e c or d ed e a c h t i m e .

T h e s e c o n d c o l u m n o f t a b l e 1 r e p r e s e n t s a t e s t s e t u pu s i n g a v i r t u a l l y u n m o d i f i e d v e r s i o n o f Dumpcap

( e x c e p t f o r a m i n o r a d d i t i o n t o r e p o r t t h e n u m b e r o f

d r o p p e d p a c k e t s ) . T h e t h i r d c o l u m n r e p r e s e n t s a s e t u pw h e r e D u m p c a p w a s m o d i f i e d t o d i s a b l e t h e p o r t i o n o f

t h e c o d e t h a t w r i t e s t h e p a c k e t s t o d i s k . T h e f i f t h a n ds i x t h c o l u m n s r e p r e s e n t t h e s a m e v e r s i o n o f Dumpcapa s i n c o l u m n t w o , b u t w i t h 50MB a n d t h e n 100MB o f

b u f f e r i n g a t t h e k e r n e l l e v e l f o r t h e r e c e i v e d i r e c t i o n o f

t h e c a p t u r e s o c k e t . T h e t e s t s e t u p o f s e c o n d l a s t c o l u m nu s e d d e f a u l t k e r n e l b u f f e r i n g , b u t u s e d a v e r s i o n o fDumpcap m o d i f i e d t o i n c l u d e t h e m u l t i t h r e a d e d d i s kw r i t i n g s o l u t i o n d i s c u s s e d i n s e c t i o n 4 .

When u s i n g t h e u n m o d i f i e d v e r s i o n o f D u m p c a pw i t h d e f a u l t k e r n e l l e v e l b u f f e r i n g , t h e r e i s q u i t e a b i t o f

p a c k e t l o s s . W i t h d e f a u l t k e r n e l b u f f e r i n g l e v e l s a n dd i s a b l i n g t h e p a r t o f D u m p c a p t h a t w r i t e s p a c k e t s t o t h ed i s k , t h e n u m b e r o f d r o p p e d p a c k e t s i s s i g n i f i c a n t l y

r e d u c e d a n d i s c l o s e t o 0 . T h i s i s a s t r o n g i n d i c a t i o nt h a t w r i t i n g t o d i s k i s i n d e e d t h e b o t t l e n e c k o f t h ec a p t u r e p r o c e s s w i t h D u m p c a p .

I n t h e r e s u l t s e t , a s t h e a m o u n t o f k e r n e l l e v e l b u f f e rmemory a s s o c i a t e d w i t h t h e r e c e i v e d i r e c t i o n o f t h ec a p t u r e s o c k e t i s i n c r e a s e d , t h e n u m b e r o f d r o p p e dp a c k e t s i s s i g n i f i c a n t l y r e d u c e d . B a s e d o n t h e t r e n ds e e n i n t h e s e r e s u l t s , b y j u s t i n c r e a s i n g t h e a m o u n t o fk e r n e l l e v e l b u f f e r a s s o c i a t e d w i t h t h e s o c k e t , Dumpcap

c a n b e u s e d t o c a p t u r e p a c k e t s o n a F a s t E t h e r n e t l i n kw it ho u t d r op p i n g a n y p a c k e t s .

On s o m e l e v e l , t h e m u l t i t h r e a d e d v e r s i o n o f

Dumcap w i t h 50MB b u f f e r i n g a t t h e u s e r - l e v e l i ss i m i l a r t o t h e u n m o d i f i e d v e r s i o n o f Dumcap w i t h

50MB o f k e r n e l l e v e l b u f f e r i n g . T h e n u m b e r o f

d r o p p e d p a c k e t s f o r t h e s e t w o c a s e s i s c o m p a r a b l e . I nt h e m u l t i t h r e a d e d a p p r o a c h , w h i l e t h e s e c o n d t h r e a d i sb u s y w r i t i n g d a t a f r o m t h e 25MB h o l d b u f f e r t o t h ed i s k , t h e m a i n t h r e a d i s s t i l l a c c e p t i n g p a c k e t s i n t o t h e25MB s t o r e b u f f e r a n d p r e v e n t i n g t h e v e r y s m a l l k e r n e l

l e v e l b u f f e r f r o m f i l l i n g u p a n d d r op p i n g s u bs e q u e ntp a c k e t s . When u s i n g t h e u n m o d i f i e d v e r s i o n o fDumpcap w i t h 50MB o f k e r n e l l e v e l b u f f e r i n g , w h i l e

t h e a p p l i c a t i o n i s w r i t i n g d a t a f r o m t h e 8KB s t d i o w r i t eb u f f e r t o t h e d i s k a n d i s b l o c k e d , t h e 50MB k e r n e lb u f f e r i s q u i c k l y g e t t i n g f i l l e d b e c a u s e t h e a p p l i c a t i o n i sn o t p r o c e s s i n g n e w l y a r r i v i n g p a c k e t s . I n b o t h c a s e st h e r e i s a b l o c k e d c o m p o n e n t , a n d a n o t h e r c o m p o n e n tw h i c h b u f f e r s p a c k e t s d u r i n g t h i s t i m e .

One a d v a n t a g e o f u s i n g t h e m u l t i t h r e a d e d a p p r o a c hi s t h a t i f p a c k e t a n a l y s i s i s b e i n g d o n e i n a d d i t i o n t or e c o r d i n g p a c k e t s , w h i l e t h e w r i t e t h r e a d i s b u s y , t h em a i n a p p l i c a t i o n t h r e a d r e c e i v e s p a c k e t s a n d c a n

a n a l y z e a n d r e p o r t i n f o r m a t i o n t o t h e u s e r d u r i n g t h i st i m e . I n t h e k e r n e l b u f f e r i n g o n l y a p p r o a c h , t h e p a c k e t sa r e b u f f e r e d i n t h e k e r n e l a n d n o t s e e n b y t h ea p p l i c a t i o n u n t i l i t i s d o n e w i t h t h e 1 0 o p e r a t i o n ,t h e r e f o r e t h e a p p l i c a t i o n d o e s n ' t h a v e a c h a n c e t op r o c e s s t h e p a c k e t s w h i l e w a i t i n g f o r t h e I O o p e r a t i o nt o c o m p l e t e . T h i s w o u l d r e s u l t i n a s l o w e r r e s p o n s e

t i m e . A n o t h e r a d v a n t a g e o f t h e m u l t i - t h r e a d e d a p p r o a c hi s t h a t i t u s e s b u f f e r i n g i n d e p e n d e n t l y o f l i b p c a p t op r e v e n t p a c k e t l o s s .

T h e r e s u l t s i n t a b l e 1 i n d i c a t e t h a t w h e n 50MB o fmemory i s a l l o c a t e d t o t h e k e r n e l s o c k e t b u f f e r , s l i g h t l yf e w e r p a c k e t s a r e d r o p p e d t h a n w h e n t h e s a m e a m o u n t

o f memory i s a l l o c a t e d t o t h e t w o b u f f e r s i n t h et h r e a d e d v e r s i o n o f D u m p c a p . When t h e t h r e a d e dv e r s i o n o f Dumpcap i s g i v e n a n o t h e r 50MB o f k e r n e ll e v e l b u f f e r i n g , o n t o p o f t h e 50MB o f u s e r l e v e lb u f f e r i n g i t e m p l o y s , t h e r e s u l t s a r e j u s t a s g o o d , i f n o t

b e t t e r , t h a n t h e c a s e w h e r e t h e o r i g i n a l v e r s i o n o f

Dumcap i s u s e d w i t h 1 0 0 M B o f k e r n e l l e v e l b u f f e r i n g .H o w e v e r , t h e d i f f e r e n c e b e t w e e n t h e s e t w o s e t s o fr e s u l t s i s v e r y m i n o r a n d n o t s i g n i f i c a n t .

1 6 1

Page 5: wireshark ieee

8/2/2019 wireshark ieee

http://slidepdf.com/reader/full/wireshark-ieee 5/5

T a b l e 1 . Dumpcap p a c k e t c a p t u r e r e s u l t s w i t h 1 , 0 0 0 , 0 0 0 1 0 7 0 b y t e p a c k e t s

T r i a l # U n m o d i f i e d M o d i f i e d N o t w r i t i n g U n m o d i f i e d U n m o d i f i e d T h r e a d e d d i sk w ri t e T h r e a d e d d i s k

a p p l i c a t i o n t o n o t t o d i s k + a p p l i c a t i o n + a p p l i c a t i o n + ( 2 x 2 5 M B u s e r l e v e l w r i t e ( 2 x 2 5 M B

w i t h d e f a u l t w r i t e t o 1 0 M B 50 M B k e r n e l 100MB b u f f e r s ) + d e f a u l t u s e r l e v e l b u f f e r s )k e r n e l b u f f e r d i s k k e r n e l b u f f e r k e r n e l b u f f e r k e r n e l b u f f e r + 5 0 M B k e r n e l

b u f f e r b u f f e r

1 6 9 8 8 7 0 0 1 8 5 2 0 4 0 8 2 0

2 2 9 7 2 7 0 0 3 3 4 2 0 4 7 1 8 0

3 4 9 4 0 4 0 0 0 0 2 9 5 2 0

4 6 5 2 2 4 0 0 0 0 1 4 1 7 5 05 1 4 9 6 0 4 0 9 0 6 8 5 3 0 1 2 7 7 2 0

6 3 0 2 3 0 0 7 4 5 4 0 1 8 0 6 0

7 5 9 7 3 9 0 0 3 1 3 3 0 4 3 2 6 0

8 3 3 6 8 0 0 0 2 2 6 3 7 7 0 0

9 1 1 6 2 4 2 0 0 1 0 6 7 9 0 3 6 0 6 0

1 0 2 1 0 6 4 9 2 0 7 0 2 0 5 1 0 2 9 7 9 0

1 1 7 7 8 6 1 8 5 0 2 6 0 1 0 6 7 5 7 0

1 2 1 3 7 3 6 5 0 0 3 2 3 0 0 1 8 5 0 0

1 3 1 9 7 6 8 3 0 0 5 1 9 8 1 2 6 4 0 0 5 0

1 4 2 4 9 7 4 0 0 2 6 3 7 0 4 2 3 0 0

1 5 8 2 3 9 0 0 8 3 5 8 0 1 5 4 8 7 0

A v r g 6 6 , 5 5 1 5 4 0 3 , 8 2 4 2 4 5 , 8 3 5 0

Drop % 6 . 6 5 5 1 0 % 0 . 0 0 5 4 % 0 0 % 0 . 3 8 2 4 % 0 . 0 0 2 4 % 0 . 5 8 3 5 % 0 0 %

6 . C o n c l u s i o n s a n d f u t u r e work

T h e p r o p o s e d m u l t i - t h r e a d e d s o l u t i o n h a s t h ea d v a n t a g e o f a l l o w i n g t h e c a p t u r i n g a p p l i c a t i o n t os u p p o r t b u f f e r i n g i n d e p e n d e n t l y o f l i b p c a p . T h i s

s o l u t i o n c a n a l s o s p e e d u p t h e r e s p o n s e t i m e o f t h ea p p l i c a t i o n b e c a u s e t h e b u f f e r e d p a c k e t s a r e i n u s e rs p a c e a n d v i s i b l e t o t h e a p p l i c a t i o n .

T h e r e s u l t s s h o w e d t h a t i n c r e a s i n g t h e b u f f e r i n g a te i t h e r t h e k e r n e l l e v e l o r t h e a p p l i c a t i o n l e v e l c a n

s i g n i f i c a n t l y i m p r o v e t h e c a p t u r i n g p e r f o r m a n c e . T h eb e s t r e s u l t s c a n p e r h a p s b e a c hi e v e d b y u s i n g a m i x o f

i n c r e a s e d k e r n e l s o c k e t b u f f e r i n g a n d a m u l t i t h r e a d e d

c a p t u r i n g a p p l i c a t i o n w i t h i t s own s t o r e a n d h o l db u f f e r s .

A l t h o u g h t h e t e s t i n g f o r t h i s p a p e r w a s d o n e i n aF a s t E t h e r n e t n e t w o r k u s i n g W i r e s h a r k , t h e r e s u l t s a r ei n d e e d a p p l i c a b l e t o a l l l i b p c a p - b a s e d a p p l i c a t i o n s , a n ds h o u l d a l s o a p p l y t o G i g a b i t E t h e r n e t n e t w o r k s .U n f o r t u n a t e l y G i g a b i t E t h e r n e t e q u i p m e n t w a s n ' t

a v a i l a b l e t o b e u s e d i n t h e e x p e r i m e n t s c a r r i e d o u t a n dw o u l d h a v e t o b e l e f t a s f u t u r e w o r k .

R e f e r e n c e s

[ 1 ] E n d a c e M e a s u r e m e n t S y s t e m s . A v a i l a b l e a t

m o n i t o r i n - c a r d s / ( A u g 1 5 , 2 0 0 7 )

[ 2 ] V . J a c o b s o n , C . L e r e s , S . M c C a n n e , " l i b p c a p " , L a w r e n c e

B e r k e l e y L a b o r a t o r y , B e r k e l e y , C A . J u n e 1 9 9 4 . A v a i l a b l e a t

h t t p : l l w w w . t c p d u m p . o E g ( A u g 1 5 , 2 0 0 7 )

[ 3 ] G . C o m b s , " E t h e r e a l " . A v a i l a b l e a t

h t t p l l w w w . w i r e s h a r k o r a t ( A u g 1 5 , 2 0 0 7 )

[ 4 ] F . R i s s o , L . D e g i o a n n i , "An A r c h i t e c t u r e f o r H i g hP e r f o r m a n c e N e t w o r k A n a l y s i s , " i n P r o c . e h IEEE

S y m p o s i u m o n C o m p u t e r s a n d C o m m u n i c a t i o n s ( I S C C2 0 0 1 ) , ( H a m m a m e t , T u n i s i a , J u l y 2 0 0 1 ) .

[ 5 ] W. R . S t e v e n s , B . F e n n e r , A . M . R u d o f f , UNIXt N e t w o r kP r o g r a m m i n g V o l u m e 1 . Ne w J e r s e y : A d d i s o n W e s l e y ,2 0 0 3 .

[ 6 ] L . D e g io a n ni , G . V a r en ni , F . R i s s o , J . B r u n o , " W i n P c a p " .A v a i l a b l e a t h ( O c t 2 9 , 2 0 0 7 )

[ 7 ] Z . S h i y o n g , W. C h e n g r o n g , G . W e i , " N e t w o r k m o n i t o r i n g i nb r o a d b a n d n e t w o r k , " i n P r o c . W e b I n f o r m a t i o n S y s t e m sE n g i n e e r i n g ( D e c 3 - 6 , 2 0 0 1 , p p . 1 7 1 - 1 7 7 ) .

[ 8 ] J . C l e a r y , S . D o n n e l l y , I . G r a h a m , " D e s i g n P r i n c i p l e s f o rA c c u r a t e P a s s i v e M e a s u r e m e n t , " i n P r o c . PAM2000 P a s s i v e

a n dA c t i v e M e a s u r e m e n t W o r k s h o p ( A p r . 2 0 0 0 ) .

[ 9 ] P . W o o d , l i b p c a p - m m a p . A v a i l a b l e a t

h t t p : / / p u b l i c . l a n l . g o v / p ( A u g 1 5 , 2 0 0 7 )

[ 1 0 ] L . R i z z o , " D e v i c e P o l l i n g S u p p o r t f o r F r e e B S D , " i n P r o c .

BSDCon E u r o p e C on f e r e n c e ( B r i g h t o n , U n i t e d K i n g d o m ,N o v e m b e r 2 0 0 1 ) .

[ 1 1 ] J . C . M o g u l , K . K . R a m a k r i s h n a n , " E l i m i n a t i n g R e c e i v e

L i v e l o c k i n a n I n t e r r u p t - D r i v e n K e r n e l , " i n P r o c . ACM

T r a n s a c t i o n s o n C o m p u t e r S y s t e m s , ( A u g u s t 1 9 9 7 , p p .2 1 7 2 5 2 ) .

[ 1 2 ] I . K i m , J . M o o n , H . Y . Y e o m , " T i m e r - B a s e d I n t e r r u p tM i t i g a t i o n f o r H i g h P e r f o r m a n c e P a c k e t P r o c e s s i n g , " i nP r o c . 5 t h I n t e r n a t i o n a l C o n f e r e n c e o n H i g h - P e r f o r m a n c eC o m p u t i n g , ( A s i a - P a c i f i c R e g i o n , 2 0 0 1 ) .

[ 1 3 ] L . D e g i o a n n i , G . V a r e n n i , " I n t r o d u c i n g S c a l a b i l i t y i nN e t w o r k M e a s u r e m e n t : T o w a r d 1 0 G b p s w i t h C o m m o d i t yH a r d w a r e , " i n P r o c . I M C , ( T a o r m i n a , S i l i c y , I t a l y , O c t o b e r

2 5 - 2 7 , 2 0 0 4 , p p . 2 3 3 - 2 3 8 )

[ 1 4 ] G . V a r g h e s e , N e t w o r k A l g o r i t h m i c s : An I n t e r d i s c i p l i n a r yA p p r o a c h t o D e s i g n i n g F a s t N e t w o r k e d D e v i c e s . S a nF r a n c i s c o , C A : M o r g a n K a u f m a n n, 2 0 0 5 .

[ 1 5 ] A . T u r n e r , " T c p r e p l a y " . A v a i l a b l e a t

h t t : / / t c r e l a y . s y n f i n e t / t r a c / ( A u g 1 5 , 2 0 0 7 )

1 6 2


Wireshark User's Guidejruela/DOC/Wireshark-user-guide-a4_v1.0.0.pdf · Wireshark User's Guide 27488 for Wireshark 1.0.0 Ulf Lamping, Richard Sharpe, NS Computer Software and Services

Wireshark Guide

Wireshark OTG, Extend your Wireshark with extcap, iPad and

Wireshark PDF

Laboratorio Wireshark

Wireshark Lab: NAT - rkent.myweb.cs.uwindsor.carkent.myweb.cs.uwindsor.ca/cs367/Wireshark_SSL_v7.0.pdf · Wireshark Lab: NAT v7.0 ... Wireshark, you should set the ... complete HTTP

Lab - Using Wireshark to View Networkk Trafficccna.mpei.ac.ru/NetworkBasics/course/files/3.3.3.4... · Wireshark analysis, s network, t according Wireshark courses fo Wireshark packet

Wireshark Basics

Wireshark tcp

Taller wireshark

Wireshark Tutorial - Southern Illinois University Carbondalecs441/lectures/Wireshark Tutorial.pdf · Getting Wireshark Wireshark for Windows and Mac OS X can be easily downloaded

Wireshark User's Guide - For Wireshark 1.9 - User-guide-A4

Wireshark Deep packet inspection with Wireshark

Wireshark User’s Guide - GNOMEftp.gnome.org/.../pub/network/monitoring/wireshark/docs/user-guide-a4.pdf · Wireshark User’s Guide For Wireshark 2.1 Ulf Lamping

Breaking Wireshark

Wireshark - Basics

Wireshark User's Guidejruela/DOC/Wireshark-user-guide-a4_v1.0.0.pdfWireshark's Lua API Reference Manual ... Capturing with tcpdump for viewing with Wireshark ... Wireshark User's Guide

VoIP wireshark

Wireshark User's Guideschulz/pub/Rechnernetze/tools/wireshark/... · Wireshark User's Guide v1.11.3-rc1-1721-gdd4e5fc for Wireshark 1.11 Ulf Lamping, Richard Sharpe, NS Computer Software

Wireshark Dissectors

Wireshark Tutorial - George Mason University · Wireshark Tutorial INTRODUCTION The purpose of this document is to introduce the packet sniffer Wireshark. Wireshark would be used

Wireshark manual

Wireshark Tutorial

Wireshark User’s Guide - Yacer · Wireshark User’s Guide For Wireshark 2.1 ... Wireshark User’s Guide 9.6. LTE RLC Traffic Statistics ... Display Filter Macros

TRANSUM - Wireshark

Wireshark tutorial

Wireshark Labstaff.fmi.uvt.ro/.../labs/lab4/lab-1-Wireshark-HTTP.pdfIn this first Wireshark lab, you’ll get acquainted with Wireshark, and make some simple packet captures and observations

Wireshark Dissector

Wireshark Wcdma

Guide wireshark

Wireshark User's Guide - index-of.co.ukindex-of.co.uk/Security/packet-capture/wireshark/docs/... · 2019. 3. 7. · Wireshark User's Guide 26808 for Wireshark 1.0.0 Ulf Lamping, Richard

Wireshark tips

Captura Wireshark

Wireshark User's Guide - Bad Requestjruela/DOC/Wireshark-user-guide-a4_v1.0.0.pdf · Wireshark User's Guide 27488 for Wireshark 1.0.0 ... Capture frame ... Wireshark's Lua API Reference

Wireshark User's Guidepaginas.fe.up.pt/~jruela/DOC/Wireshark-user-guide-a4_v1.0.0.pdf · Wireshark User's Guide 27488 for Wireshark 1.0.0 Ulf Lamping, Richard Sharpe, NS Computer