Linuxflow is a passive network measurement facility, designed for using on high-speed links such as gigabit networks. It is a software solution based on Linux, providing both packet and flow level fine-grained traffic information, the idea behind which is derived from Libpcap, Cisco NetFlow, IETF RTFM etc.
Passive network measurement is a crucial for network management. Many
projects and systems depend on passive network measurement, such as NMS, IP Accounting and Billing
system, IP Monitoring, user behavior analysis and network anomalies detection
etc. In CERNET, historically, we have used several passive measurement
techniques. The following figure presents the measurement methods by means of which
CERNET can consume the increasingly large number of traffic packets at network
gateway during 5 years until 2002, as well as their capabilities respectively.
In order to meet the increasing performance requirement for high-speed IP Accounting and Billing System and IP Monitoring Infrastructure for CERNET, we designed Linuxflow based on following consideration:
Basically, Linuxflow works the same way as TCPDUMP. You can set the network card in promiscuous mode and use Linuxflow to sniff the traffic. Linux includes:
You can use several ways to setup sniffing environment for Linuxflow:
You can obtain more detailed information about Linuxflow through my Paper and Presentation on
See also the Paper and presentation section.
In packet capture, the packets received by a NIC will transfer to the Linux kernel by the NIC driver, and transfer from kernel space to the user space flow aggregating daemon or other analysis applications by the capture protocol stack though socket. several factors will influence the performance in this chain.
First, we consider the hardware influence, because all packets need to enter the NIC and go through the PCI bus to NIC driver, the network bandwidth is limited by the NIC capability and the PCI bandwidth. For Gigabit or even high environment, the 64bits, 66Mhz or 64bits, 133Mhz PCI bus should be considered. Moreover, The PPS directly determines the CPU interrupt rate. For example, if every packet arriving on an 1 Gb/s NIC generates an I/O interrupt, then the system will get interrupted every 12 μs. Most PC systems are not able to keep up with this interrupt rate. A common technique to reduce CPU requirements and to increase throughput is called interrupt moderation, which bundles several packets into a single interrupt. Some NIC driver can set the value of how many packets can process in one interrupt or the RX buffer size. tuning these parameters may improve the capture performance. If NIC has enough capability, the more fast CPU can keep up with the higher PPS rate.
Furthermore, The software architecture needs to be optimized to reach the highest performance limited by hardware. The context switch between kernel space and user space is quite costly, We should filter as much as possible information in kernel, and only copy selected packet fields to user space. In addition, we should coalesce the records to decrease the number of time to copy information from kernel space to user space. Based on above consideration, we designed Linuxflow :)
|Processor||DualIntelXEON 2.0Ghz or higher|
|Memory||1GB or higher|
|Accessory||64bits, 66Mhz or 64bits, 133Mhz or higher|
|Main board||Serverworks or Intel|
|NIC||SysKonnect, Intel EEpro1000 XF etc.|
"Linuxflow: A High Speed Backbone Measurement Facility"
ZhiChun Li, Hui Zhang, Yue You, Tao He,
Passive and Active Measurement Workshop (PAM) 2003, La Jolla, California, USA, April, 2003.
(PDF 190KB) (Slides: PDF 375KB PPT 586KB )