1.Research on DPDK Based High-Speed Network Traffic Analysis Zihao Wang Network & Information Center Shanghai Jiao Tong University 

2.Outline 1 Background 2 Overview 3 DPDK Based Traffic Analysis 4 Experiment 5 Conclusion 

3. Page . 3 Usage of Traffic ▪ Business Benefit ▪ ISPs’ personalized advertising ▪ Performance Monitoring ▪ Security 

4. Page . 4 Mainstream Traffic Analysis Method ▪ Protocol Analysis ▪ Port based method ▪ Payload based method ▪ Statistical approach based method ▪ Content Analysis 

5. Page . 5 Current Packet Capture Engine ▪ Libpcap/Winpcap ▪ PF_RING ▪ Netmap 

6. Page . 6 DPDK Framework 

7. Page . 7 Why DPDK ▪ Zero Copy ▪ Poll Mode Driver Architecture ▪ Fine Hardware Support ▪ Use Pointer As Much As Possible ▪ Easy-to-use Ring Manager ▪ Packet Forwarding Algorithm Support ▪ Native IPv6 Support 

8. Page . 8 Traditional Capture Engine 

9. Page . 9 Traditional Capture Engine 

10. Page . 10 DPDK Based Traffic Analysis System ▪ Load balancing 

11. Page . 11 DPDK Based Packet Capture ▪ pdump User Space 

12. Page . 12 DPDK Based Packet Capture ▪ KNI User Space 

13. Page . 13 DPDK Based Packet Capture ▪ Pdump Based ▪ Copied by port driver ▪ Dumped by pdump program ▪ KNI Based ▪ Copied in user space ▪ Send to kernel ▪ Dumped by pcap API 

14. Page . 14 DPDK Based Packet Capture ▪ Pdump Based ▪ Easy to use ▪ Copied once ▪ KNI Based ▪ Need to create new thread ▪ Poor performance ▪ Highly customizable ▪ System API supported ▪ Recommended for bypass capture 

15. Page . 15 DPDK Based Traffic Analysis System ▪ Basic Architecture 

16. Page . 16 DPDK Based Packet Capture ▪ User Space 

17. Page . 17 Compared with DPDK Based Packet Capture ▪ Pdump Based ▪ Slow down the main business ▪ Uncompressed file IO ▪ Copy at least once ▪ KNI Based ▪ Poor performance ▪ Using kernel protocol stack ▪ More copy operation 

18. Page . 18 DPDK Based Packet Analysis 

19. Page . 19 DPDK Based Packet Analysis ▪ Multiple Producers Queue ▪ Flow Classification Support ▪ Highly customizable ▪ Improve CPU cache hit rate ▪ Avoid resource competition ▪ Expand support for both dimensions 

20. Page . 20 Detailed Design ▪ Environment Abstraction Layer ▪ Set CPU affinity ▪ Set Hugepage ▪ Reload hardware by PMD 

21. Page . 21 Detailed Design ▪ Packet Capture Layer ▪ Get device information ▪ Initialize ports ▪ RSS ▪ Producer queue ▪ Consumer queue ▪ Binding threads 

22. Page . 22 Detailed Design ▪ Packet Capture Layer ▪ Initialize ports 

23. Page . 23 Detailed Design ▪ Packet Processing Layer ▪ Consumer queue management ▪ Data analysis ▪ Software migration 

24. Page . 24 Detailed Design ▪ Packet Processing Layer ▪ Pcap compatible 

25. Page . 25 Detailed Design ▪ Packet Processing Layer ▪ IPv6 support ▪ Making use of kernel protocol stack 

26. Page . 26 Detailed Design ▪ Packet Processing Layer ▪ IPv6 support ▪ Making use of kernel protocol stack 

27. Page . 27 Detailed Design ▪ Packet Processing Layer ▪ IPv6 support ▪ Make use of DPDK IPv6 Support 

28. Page . 28 Detailed Design ▪ Packet Processing Layer ▪ IPv6 support ▪ Make use of DPDK IPv6 Support 

29. Page . 29 Performance Testing ▪ Using SJTU campus network traffic as testing background ▪ Add feature packets to the traffic ▪ Using analysis system dealing with the traffic ▪ Counting feature ones in the analysis result ▪ Comparing with the number of total feature packets, and evaluating system performance