Packet-based Network Traffic Monitoring and Analysis with GPUs

Wenji Wu, Phil DeMar wenji@fnal.gov, demar@fnal.gov

GPU Technology Conference 2014 March 24-27, 2014 SAN JOSE, CALIFORNIA

Background

• Main uses for network traffic monitoring & analysis tools: – Operations & management – Capacity planning – Performance troubleshooting

• Levels of network traffic monitoring & analysis: – Device counter level (snmp data) – Traffic flow level (flow data) – Packet level (The Focus of this work)

• security analysis • application performance analysis • traffic characterization studies

2

Characteristics of packet-based network monitoring & analysis applications

• Time constraints on packet processing.

• Compute and I/O throughput-intensive

• High levels of data parallelism.

– Packet parallelism. Each packet can be processed independently

– Flow parallelism. Each flow can be processed independently

• Extremely poor temporal locality for data – Typically, data processed once in sequence; rarely reused

Background (cont.)

3

Packet-based traffic monitoring & analysis tools face performance & scalability challenges within high-performance networks.

– High-performance networks: • 40GE/100GE link technologies

• Servers are 10GE-connected by default

• 400GE backbone links & 40GE host connections loom on the horizon.

– Millions of packets generated & transmitted per sec

The Problem

4

• Requirements on computing platform for high performance network monitoring & analysis applications:

– High Compute power

– Ample memory bandwidth

– Capability of handing data parallelism inherent with network data

– Easy programmability

Monitoring & Analysis Tool Platforms (I)

5

• Three types of computing platforms: – NPU/ASIC – CPU – GPU

Monitoring & Analysis Tool Platforms (II)

Features NPU/ASIC CPU GPU

High compute power Varies ✖ ✔

High memory bandwidth Varies ✖ ✔

Easy programmability ✖ ✔ ✔

Data-parallel execution model ✖ ✖ ✔

Architecture Comparison

6

Our Solution Use GPU-based Traffic Monitoring & Analysis Tools

Highlights of our work:

• Demonstrated GPUs can significantly accelerate network traffic monitoring & analysis – 11 million+ pkts/s without drops (single Nvidia M2070)

• A generic I/O architecture to move network traffic from wire into GPU domain

• Implemented a GPU-accelerated library for network traffic capturing, monitoring, and analysis. – Dozens of CUDA kernels, which can be combined in a variety of ways to perform

monitoring and analysis tasks

7

Key Technical Issues

• GPU’s relatively small memory size:

– Nvidia M2070 has 6 GB Memory, K10 has 8 GB Memory

– Workarounds: • Mapping host memory into GPU with zero-copy technique? ✖ • Partial packet capture approach ✔

• Need to capture & move packets from wire into GPU domain without packet loss

• Need to design data structures that are efficient for both CPU and GPU

8

System Architecture

...

1. Traffic Capture2. Preprocessing GPU Domain

Monitoring & Analysis

Kernels

Output

User Space

Output

Output

3. Monitoring & Analysis

4. Output Display

Packet

Buffer

Network Packets

NICs

Packet

BufferOutput

...

Capturing

CapturedData

Packet Chunks

• Traffic Capture • Preprocessing

Four Types of Logical Entities:

• Monitoring & Analysis • Output Display

9

Packet I/O Engine

Free Packet Buffer Chunks

OS Kernel

User Space

...

Capture

Attach

Recycle

Recv Descriptor Ring

Packet Buffer Chunk

Incoming PacketsNIC

...

Descriptor Segments

Processing Data

Key techniques

• A novel ring-buffer-pool mechanism • Pre-allocated large packet buffers • Packet-level batch processing • Memory mapping based zero-copy

Key Operations

• Open • Capture • Recycle • Close

10

Goal:

• To avoid packet capture loss

GPU-based Network Traffic Monitoring & Analysis Algorithms

• A GPU-accelerated library for network traffic capturing, monitoring, and analysis apps. – Dozens of CUDA kernels

– Can be combined in a variety of ways to perform intended monitoring & analysis operations

11

Packet-Filtering Kernel

1

raw_pkts [ ]

filtered_pkts [ ]

filtering_buf [ ]

scan_buf [ ]

index

0 1 2 3 4 5 6 7

0 1 2 3 4 5 6 7

index

index

0 1 2 3

Filtering

1

Scan

2

Compact

3

p2p1 p3 p5p4 p6 p8p7

0 1 1 0 0 1 0

0 1 1 2 3 3 3 4

p1 p3 p4 p7

x x xx

Advanced packet filtering capabilities at wire speed are necessary so that we only analyze those packets of interest to us.

We use Berkeley Packet Filter (BPF) as the packet filter

A few basic GPU operations, such as sort, prefix-sum, and compact.

12

Sample Use Case -1

Using our GPU-accelerated library, we developed a sample use case to monitor network status:

• Monitor networks at different levels: – from aggregate of entire network down to one node

• Monitor network traffic by protocol

• Monitor network traffic information per node: – Determine who is sending/receiving the most traffic – For both local and remote addresses

• Monitor IP conversations: – Characterizing by volume, or other traits.

13

Packet Parallelism

Sample Use Case 1 – Data Structures Three key data structures were created at GPU: • protocol_stat[]

– an array that is used to store protocol statistics for network traffic, with each entry associated with a specific protocol.

• ip_snd[] and ip_rcv[] – arrays that are used to store traffic statistics for IP conversations in the send and receive

directions, respectively.

• ip_table – a hash table that is used to keep track of network traffic information of each IP address node.

These data structures are designed to reference themselves and each other with relative offsets such as array indexes.

14

Sample Use Case 1 – Algorithm

1. Call Packet-filtering kernel to filter packets of interest

2. Call Unique-IP-addresses kernel to obtain IP addresses

3. Build the ip_table with a parallel hashing algorithm

4. Collect traffic statistics for each protocol and each IP node

5. Call Traffic-Aggregation kernel to build IP conversations

15

Sample use case 2 Using our GPU-accelerated library, we developed a sample use case to monitor bulk data transfer:

• Monitor bulk data transfer rate • from aggregate of entire network down to one node

• Analyze data transfer performance bottlenecks – Sender-limited, network-limited, or receiver-limited?

– Network-limited? • Packet drops, or packet reordering?

16

Packet Parallelism +

Flow Parallelism

17

Sample Use Case 2 – Algorithm

Monitoring Mode:

1. Call Packet-filtering kernel to filter packets of interest

2. Call TCP-throughput kernel to calculate data transfer rates

Analyzing Mode:

1. Call Packet-filtering kernel to filter packets of interest

2. Classify packets into flows

3. Call TCP-analysis kernel to analyze performance bottlenecks

Prototyped System

P0 P1

I

O

H

I

O

H10G-NIC

M2070

MemMem QPI

QPI

QPI

QPI

PCI-E10G-NIC

PCI-E

Nod

e 0

Nod

e 1

PCI-E

Prototyped System

• Our application is developed on Linux.

• CUDA 5.0 programming environment.

• The packet I/O engine is implemented on Intel 82599-based 10GigE NIC

• A two-node NUMA system • Two 8-core 2.67GHz Intel X5650 processors. • Two Intel 82599-based 10GigE NICs • One Nvidia M2070 GPU.

18

Performance Evaluation Packet I/O Engine

Packet drop rate – one-nic-exp Packet drop rate – two-nic-exp

• Our Packet I/O engine (GPU-I/O) achieves better performance than NETMAP and PSIOE in avoiding packet capture loss.

19

0

0.1

0.2

0.3

0.4

0.5

1000 10000 100000 1000000 10000000

Packetdroprate

Numberofpackets

psioe-1.6 psioe-2.0 psioe-2.4

netmap-1.6 netmap-2.0 netmap-2.4

gpu-i/o-1.6 gpu-i/o-2.0 gpu-i/o-2.4

Performance Evaluation GPU-based Packet Filtering Algorithm

20

0

20

40

60

80

100

120

140

160

180

mmap-gpus-cpu-1.6 s-cpu-2.0 s-cpu-2.4 m-cpu-1.6m-cpu-2.0m-cpu-2.4 st-gpu

Through

put(M

illionp/s) Data-set-1 Data-set-2

Data-set-3 Data-set-4

Performance Evaluation GPU-based Sample Use Case - 1

21

0

10

20

30

40

50

60

70

80

90

100

IP udp net129.15.30 net131.225.107

Through

put(M

illionp/s)

s-cpu-1.6G s-cpu-2.0G s-cpu-2.4Gm-cpu-1.6 m-cpu-2.0 m-cpu-2.4st-gpu

50 100 150 200 250 300

0.4

0.6

0.8

1

Packet Size (Byte)P

acke

t Rat

io

One NIC Experiments

50 100 150 200 250 300

0.4

0.6

0.8

1

Packet Size (Byte)

Pac

ket R

atio

Two NIC Experiments

1.6GHz

2.0GHz

2.4GHz

OnDemand

1.6GHz

2.0GHz

2.4GHz

OnDemand

Performance Evaluation – Overall System Performance

In the experiments: • Generators transmitted packets at wire rate. • Packet sizes are varied across the experiments. • Prototype system run in full operation with sample use case 1.

22

Key Take Aways

• GPUs accelerate network traffic monitoring & analysis.

• A generic I/O architecture to move network traffic from wire into GPU domain.

• A GPU-accelerated library for network traffic capturing, monitoring, and analysis. – Dozens of CUDA kernels, which can be combined in various ways to

perform monitoring and analysis tasks.

23

Question?

Email: wenji@fnal.gov and demar@fnal.gov

Thank You!

24