Date of Award

3-10-2010

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Robert F. Mills, PhD

Abstract

Defending networks, network-connected assets, and the information they both carry and store is an operational challenge and a significant drain on resources. A plethora of historical and ongoing research efforts are focused on increasing the effectiveness of the defenses or reducing the costs of existing defenses. One valuable facet in defense is the ability to perform post mortem analysis of incidents that have occurred, and this tactic requires accurate storage and rapid retrieval of vast quantities of historical network data. This research improves the efficiency of capturing network packets to disk using commodity, general-purpose hardware and operating systems. It examines the bottlenecks between Network Interface Card (NIC) and disk, implements a kernel-space capture capability to improve storage efficiency, and analyzes the performance characteristics of this approach. The proof of concept PKAP kernel-space packet capture module avoids the penalties associated with both the kernel-to-user and user-to-kernel space memory copies, removing unnecessary overhead and improving the ability of a network capture system to accurately capture higher network rates with lower computational overhead. Results show that a kernel-space NIC-to-Disk (N2d) is both possible and beneficial. The PKAP kernel module can capture packets to disk with a packet drop rate 8.9% less than the user-space equivalent, at a 95% confidence interval. During the high levels of disk I/O contention produced by queries for the captured data, the PKAP implementation shows a 3% reduction in CPU utilization, and overall the PKAP implementation reduces memory utilization of the capture process by 16%.

AFIT Designator

AFIT-GCO-ENG-10-03

DTIC Accession Number

ADA516706

Download

Share

COinS