from the network are handed off to sniffing applications.The basic idea is that
the NIC may interrupt (or be read by polling, ultimately driven from a hard-
ware clock interrupt) and then some number of packets are read in and
placed in operating system buffers (not shown).These buffers are then copied
to a ring buffer of a certain size inside the kernel. Conceptually the ring
buffer is a queue.The application can then use the read system call to read the
queued packets from the ring buffer and process them.This is actually a very
traditional operating system design model called the
producer-consumer model.
The producer is the operating system, which includes both the NIC driver as
well as the ring buffer code that stuffs packets into the queue.The consumer
is the ourmon probe application.
One very general problem is that for important reasons, the operating
system will run before applications run; otherwise the operating system might
not be able to service the applications. Here this could mean that the device
driver might be so busy stuffing packets into the ring buffer that the applica-
tion never gets to read any packets out of the ring buffer.This can easily
happen with a single-CPU system. Interrupts can also play a harmful role. If
too many packets are coming in too fast (say, with a small-packet DDOS
attack), the NIC might simply lock up the entire system.The system only
processes interrupts and more or less nothing else happens.This is a form of
deadlock called
livelock
(not dead, but not doing anything useful either). Now,
given the big picture, let’s turn and look at various optimization techniques.
Buy a Dual-Core CPU for the Probe
One possible approach to parallelization is rather easy these days and is
becoming cheaper all the time. Both AMD and Intel now have computers
with dual-core processors.
Dual-core
means that with a symmetric multipro-
cessing (SMP) operating system, you will effectively run the NIC on one
CPU and the ourmon probe on the second.The outcome is that you avoid
the situation where they are contending for one CPU (and the application
always loses).This can help a lot and should be standard practice for anyone
running an important sniffing application. If you get a dual-core CPU, make
sure that the operating system is actually using SMP! It won’t do you much
good if you have the hardware but forgot to enable the software.
Do'stlaringiz bilan baham: