Network DVR: A Programmable Framework for Application-Aware Trace Collection

論文發表人：張家瑋/加州大學聖地牙哥分校/電機系

 

http://www.pam2010.ethz.ch/

 

網路封包的紀錄對於廣大的網路應用其極大的價值, 包含了網路量測,網路安全分析. 現存的系統由於缺乏聰明的設計, 只能被迫收集所有電腦的網路活動(封包)近而進行後端的分析處理. 雖然這種分析行為可以得到較精確的分析結果.但是如果能直接存取應用程式所需要分析的封包紀錄卻是更為有效率的. 在這篇研究報告裡, 我們提出了網路錄影機,可以精確的由眾多的網路應用程式所驅動, 直接有效率的紀錄應用程式所需要分析的封包紀錄, 同時也可以大量的節省記憶體複製的硬碟行為,此行為唯一判別系統效能的重大依據. 我們利用實際的網路封包紀錄和實現我們的網路錄影機,比較於先前的系統,我們的系統可以降低500倍到800倍以上的的記憶體複製,大大降低了封包存取的記憶體空間

 

Network traces are essential for a wide range of network applications, including traffic analysis, network measurement, performance monitoring, and

security analysis. Existing capture tools do not have sufficient built-in intelligence to understand these application requirements. Consequently, they are forced to collect all packet traces that might be useful at the finest granularity to meet a certain level of accuracy requirement. It is up to the network applications to process the per-flow traffic statistics and extract meaningful information. But for a number of applications, it is much more efficient to record packet sequences for flows that match some application-specific signatures, specified using for example regular expressions. A basic approach is to begin memory-copy (recording) when the first character of a regular expression is matched. However, often times, a matching eventually fails, thus consuming unnecessary memory resources during the interim. In this paper, we present a programmable application-aware triggered trace collection system called Network DVR that performs precisely the function of packet content recording based on user-specified trigger signatures.

This in turn significantly reduces the number of memory copies that the system has to consume for valid trace collection, which has been shown previously as

a key indicator of system performance [8]. We evaluated our Network DVR implementation on a practical application using 10 real datasets that were gathered

from a large enterprise Internet gateway. In comparison to the basic approach in which the memory-copy starts immediately upon the first character match without triggered-recording, Network DVR was able to reduce the amount of memorycopies by a factor of over 500x on average across the 10 datasets and over 800x in the best case.