Packet capture is an essential function for many network applications, including intrusion detection systems and packet-based network performance analysis applications. Packets are typically captured from the wire, temporarily stored at a data capture buffer, and finally delivered to applications for processing. Because these operations are performed on a per-packet basis, packet capture is typically computationally and throughput intensive. In high-speed networks, packet capture faces significant performance challenges.
Packet drop is a major problem with packet capture in high-speed networks. There are two types of packet drop: packet capture drop and packet delivery drop. Packet capture drop is mainly caused by the inabilities of packet capture to keep pace with the incoming packet rate. Consequently, packets may be dropped because they cannot be captured in time.
Packet delivery drop is mainly caused by the inability of an application to keep pace with the packet capture rate. Consequently, the data capture buffer overflows and packet drops occur even when 100% of the network traffic is captured from the wire. Any type of packet drop will degrade the accuracy and integrity of network monitoring applications. Thus, there is a need in the art to avoid packet drops in packet capture tools.
There are several prior art approaches for solving this problem. One approach is to apply traffic steering to distribute the traffic evenly. However, this approach cannot preserve the application logic. Another approach involves the use of existing packet capture engines to handle load imbalance in the application layer, but an application in user space has little knowledge of low-level layer conditions and cannot effectively handle load imbalance.
Accordingly, the present embodiments provide improved methods and systems for packet capture.