Network traffic is transmitted across a network, such as the Internet, from a sending system (e.g., a computer system) to a receiving system (e.g., a computer system) via a network interface card (NIC). The NIC is a piece of hardware found in a typical computer system that includes functionality to send and receive network traffic. Typically, network traffic is transmitted in the form of packets, where each packet includes a header and a payload. The header contains information regarding the source address, destination address, size, transport protocol used to transmit the packet, and various other identification information associated with the packet. The payload contains the actual data to be transmitted from the network to the receiving system.
It is often desirable to monitor packets exchanged between a sending system and a receiving system located on a network. A host, also connected to the network, is often used to perform the aforementioned monitoring. This host acts as an additional receiving system for all packets exchanged between the original sending and receiving systems.
Each of the packets sent between the sending system and receiving system is typically associated with a connection. The connection ensures that packets from a given process on the sending system reach the appropriate process on the receiving system. Packets received by the receiving system (via a NIC associated with the receiving system) are analyzed by a classifier to determine the connection associated with the packet.
Once the classifier determines the connection associated with the packets, the packets are forwarded to a hardware receive ring on the NIC. In some implementations, an interrupt is issued to the CPU associated with the hardware receive ring. In response to the interrupt, a thread associated with the CPU retrieves the packets from the hardware receive ring and places them in the appropriate queue. Once packets are placed in the queue, those packets are processed in due course. Generally, these queues utilize kernel level memory to store the packets.