Traffic Analysis on High-Speed Internet Links

The past years have seen an increase in the importance of computer networks for many tasks in day-to-day life. Network services are crucial for many business work-flows and become more important for the private life driven by new services such as social networks or online video streaming portals. As the need for network service availability increases, operators see a growing need for understanding the current state of their networks. Monitoring techniques for detecting network failures, attacks on end systems, or potential bottlenecks that could be mitigated by careful network optimization receive more attention in the research and business community. Many current traffic analysis systems employ deep packet inspection (DPI) in order to analyze network traffic. These systems include intrusion detection systems, software for network traffic accounting, traffic classification, or systems for monitoring service-level agreements. Traffic volumes and link speeds of current enterprise and ISP networks, however, transform the process of inspecting traffic payload into a challenging task. A traffic analysis setup needs to be properly configured in order to meet the challenges posed by traffic volumes in current high-speed networks. This dissertation evaluates the performance of current packet capturing solutions of standard operating systems on commodity hardware. We identify and explain bottlenecks and pitfalls within the capturing stacks, and provide guidelines for users on how to configure their capturing systems for optimal performance. Furthermore, we propose improvements to the operating system’s capturing processes that reduce packet loss, and evaluate their impact on capturing performance. Depending on the computational complexity of the desired traffic analysis application, even the best-tuned capturing setups can suffer packet loss if the employed hardware is short in available computational resources. We address this problem by presenting and evaluating new sampling algorithms that can be deployed in front of a traffic analysis application to reduce the amount of inspected packets without degrading the results of the analysis significantly. These algorithms can be used in conjunction with multicore-aware network traffic analysis setups for exploiting the capabilities of multi-core hardware. The presented analysis architecture is demonstrated to be suitable for live traffic measurements for security monitoring, for the analysis of security protocols and for traffic analysis for network optimization.