Abstract
FFPF is a network monitoring framework designed for three things: speed (handling high link rates), scalability (ability to handle multiple applications) and exibility. Multiple applications that need to access overlapping sets of packets may share their packet buffers, thus avoiding a packet copy to each individual application that needs it. In addition, context switching and copies across the kernel boundary are minimised by handling most processing in the kernel or on the network card and by memory mapping all buffers to userspace, respectively. For these reasons, FFPF has superior performance compared to existing approaches such as BSD packet lters, and especially shines when multiple monitoring applications execute simultaneously. Flexibility is achieved by allowing expressions written in different languages to be connected to form complex processing graphs (not unlike UNIX processes can be connected to create complex behaviour using pipes). Moreover, FFPF explicitly supports extensibility by allowing new functionality to be loaded at runtime. By also implementing the popular pcap packet capture library on FFPF, we have ensured backward compatibility with many existing tools, while at the same time giving the applications a sign cant performance boost.
Original language | English |
---|---|
Pages | 347-362 |
Number of pages | 16 |
State | Published - 2004 |
Event | 6th Symposium on Operating Systems Design and Implementation, OSDI 2004 - San Francisco, United States Duration: 6 Dec 2004 → 8 Dec 2004 |
Conference
Conference | 6th Symposium on Operating Systems Design and Implementation, OSDI 2004 |
---|---|
Country/Territory | United States |
City | San Francisco |
Period | 6/12/04 → 8/12/04 |