导　　师： 王美琴;王小云

学科专业： 081203

授予学位： 硕士

作　　者： ;

机构地区： 山东大学

摘　　要： 被动数据捕捉技术在网络安全领域有着极其丰富的应用，如IDS/(入侵检测系统/)、防火墙等，tcpdump，ethereal，snort等软件都采用此项技术。随着诸多应用层服务，如VoIP、P2P等的投入应用，使得网络的承载能力大为紧张。由于CPU性能、操作系统的处理机制等原因，传统的捕包方式已经不能适应千兆网络的要求，尤其在网络流量比较大时，系统将出现大量丢包现象，形成了系统级瓶颈。 NAPI，device polling，零拷贝等技术被提出来解决这一问题，零拷贝技术已经被成熟的应用于路由器、防火墙等硬件的设计中，它可以通过修改网卡驱动程序使应用程序直接访问网卡在内核中的内存。Luca Deri在零拷贝的基础上提出了一种新的解决方案：PF/_RING机制。 PF/_RING机制则不必修改网卡驱动。在内核中，它以一种带缓存的协议簇PF/_RING为依托，结合NAPI技术，改善网卡中断响应频率；在用户空间，应用程序可以通过mmap手段，将网络数据包直接传送给应用层的用户程序。PF/_RING是一种面向普通PC普通网卡的、接口丰富的、性能表现优异的软件解决方案。 我们在PF/_RING机制的基础上做了如下工作： 1．分析了PF/_RING的原理和实现过程，在此基础上以内核模块的形式实现了PF/_RING。逻辑上这部分又分为模块的加载与卸载、注册PF/_RING协议簇、初始化环状缓存、向缓存中添加skb等几步。 2．分析了PF/_RING关于libpcap的接口并通过两层封装实现了这一过程。使用snort等软件对PF/_RING做了测试，并在测试结果的基础上做了对比分析。 3．在高端嵌入式实验平台上/(PowerPC 8540/)实现了PF/_RING机制，为进一步研究高速网络下的防火墙和入侵检测系统做好了准备。 Passive packet capture is widely used in network security, especially in IDS /(Intrusion Detection System/) and firewall. Many IDS system, such as tcpdump, ethereal and snort, use this mechanism. Nowadays, many application layer services, like P2P and VoIP, become popular on the web, which overload the internet. Traditional packet capture architecture is no longer efficient in Gigabit Network, it lost most of the packets when flooded by high speed data transfer. There are various reasons for this, CPU frequency and the packet handling mechanism in Operating System are thought to be the most important problem. In order to solve the problem, new techniques such as 'NAPI', 'device polling' and 'zero-copy' are designed. Zero-copy is already applied in Router, Firewall and IDS system, but you have to modify the drivers of the NIC/(network interface card/) in order that the user space applications make direct access to the memory in kernel space. This is not convenient when transplanting the technique to a new hardware or operating system. Based on zero-copy, Luca Deri brought out a new architecture named ' PF/_RING '. In this new architecture, NIC driver modifying is no longer needed. In kernel space, ally with NAPI, a newly designed packet buffer is deployed, and the NIC interrupt response is improved too. While in user space, packets received from the NIC are directly transferred to application processes by memory re-mapping /('mmap'/). ' PF/_RING ' is designed for PC, it is a high performance solution for high speed packet capture. It has various interfaces, and it can be used in various systems without much rework. Our work is based on the 'PF/_RING' architecture, it's as follows: First of all, we deep into the principles of 'PF/_RING', and apply it in our own network environment as a kernel module, there are several steps of this application: 'loading and unloading kernel module', 'registering PF/_RING protocols', 'initialization of ring cache', 'add skb to r

关 键 词： 内核 中断机制 网卡驱动

领　　域： [自动化与计算机技术] [自动化与计算机技术]