Open Packet Monitoring on FLAME: Safety, Performance, and Applications

  • Kostas G. Anagnostakis
  • Michael Greenwald
  • Sotiris Ioannidis
  • Stefan Miltchev
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2546)


Packet monitoring arguably needs the flexibility of open architectures and active networking. In earlier work we have implemented FLAME, an open monitoring system, that balanced flexibility and safety while attempting to achieve high performance by combining the use of a type-safe language, lightweight run-time checks, and fine-grained policy restrictions.

We seek to understand the range of applications, workloads, and tra.c, for which a safe, open, traffic monitoring architecture is practical. To that end, we investigated a number of applications built on top of FLAME.We use measurement data and analysis to predict the workload at which our system cannot keep up with incoming traffic.We report on our experience with these applications, and make several observations on the current state of open architecture applications.


Network Interface Card Packet Rate Trajectory Sampling Worm Detection Open Monitoring System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    D. S. Alexander, W. A. Arbaugh, M. W. Hicks, P. Kakkar, A. D. Keromytis, J. T. Moore, C. A. Gunter, S. M. Nettles, and J. M. Smith. The Switc hWare active network architecture. IEEE Network, 12(3):29–36, May/June 1998.CrossRefGoogle Scholar
  2. [2]
    K. G. Anagnostakis and H. Bos. Towards flexible real-time network monitoring using a network processor. In Proceedings of the 3rd USENIX/NLUUG SANE Conference (short paper), May 2002.Google Scholar
  3. [3]
    K. G. Anagnostakis, S. Ioannidis, S. Miltchev, J. Ioannidis, M. B. Greenwald, and J. M. Smith. Efficient packet monitoring for network management. In Proceedings of the 8th IFIP/IEEE Network Operations and Management Symposium (NOMS), pages 423–436, April 2002.Google Scholar
  4. [4]
    K. G. Anagnostakis, S. Ioannidis, S. Miltchev, and J. M. Smith. Practical network applications on a lightweight active management environment. In Proceedings of the 3rd Int’l Working Conference on Active Networks (IWAN), pages 101–115, October 2001.Google Scholar
  5. [5]
    M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D. Keromytis. The KeyNote Trust Management System Version 2. Internet RFC 2704, September 1999.Google Scholar
  6. [6]
    H. Bos and B. Samwel. Safe kernel programming in the OKE. In Proceedings of IEEE OPENARCH 2002, June 2002.Google Scholar
  7. [7]
    J. Brunner. The Shockwave Rider. Del Rey Books, Canada, 1975.Google Scholar
  8. [8]
    J. Chase, H. Levy, M. Baker-Harvey, and E. Lazowska. Opal: A single address space system for 64-bit architectures. In Proceedings of the Fourth Workshop on Workstation Operating Systems, pages 80–85, 1993.Google Scholar
  9. [9]
    N. Duffield and M. Grossglauser. Trajectory sampling for direct traffic observation. IEEE/ACM Transactions on Networking, 9(3):280–292, June 2001.CrossRefGoogle Scholar
  10. [10]
    M. Hicks, J. T. Moore, and S. Nettles. Compiling PLAN to SNAP. In Proceedings of the 3rd Int’l Working Conference on Active Networks (IWAN), pages 134–151, October 2001.Google Scholar
  11. [11]
    S. Ioannidis, K. G. Anagnostakis, J. Ioannidis, and A. D. Keromytis. xPF: packet filtering for low-cost network monitoring. In Proceedings of the IEEE Workshop on High-Performance Switching and Routing (HPSR), pages 121–126, May 2002.Google Scholar
  12. [12]
    T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of USENIX 2002 Annual Technical Conference, June 2002.Google Scholar
  13. [13]
    T. V. Lakshman and U. Madhow. The performance of TCP/IP for networks with high bandwidth-delay products and random loss. IEEE/ACM Transactions on Networking, 5(3):336–350, June 1997.CrossRefGoogle Scholar
  14. [14]
    G. R. Malan and F. Jahanian. An extensible probe architecture for network protocol performance measurement. In Proceedings of ACM SIGCOMM, pages 215–227, August 1998.Google Scholar
  15. [15]
    J. C. Mogul and K. K. Ramakrishnan. Eliminating receive livelock in an interruptdriven kernel. ACM Transactions on Computer Systems, 15(3):217–252, August 1997.CrossRefGoogle Scholar
  16. [16]
    D. Moore. The spread of the code-red worm (crv2). In August 2001.
  17. [17]
    R. Morris, E. Kohler, J. Jannotti, and M. F. Kaashoek. The click modular router. In Proceedings of the 17th ACM Symposium on Operating System Principles (SOSP), pages 217–231, December 1999.Google Scholar
  18. [18]
    C. Partridge, A. Snoeren, T. Strayer, B. Schwartz, M. Condell, and I. Castineyra. FIRE: Flexible intra-AS routing environment. In Proceedings of ACM SIGCOMM, pages 191–203. August 2000.Google Scholar
  19. [19]
    M. Roughan, D. Veitch, and P. Abry. Real-time estimation of the parameters of long-range dependence. IEEE/ACM Transactions on Networking, 8(4):467–478, August 2000.CrossRefGoogle Scholar
  20. [20]
    F. B. Schneider, G. Morrisett, and R. Harper. A language-based approach to security. Informatics: 10 Years Back, 10 Years Ahead, pages 86–101, 2000.Google Scholar
  21. [21]
    J. F. Shoch and J. A. Hupp. The “worm” programs-early experiments with a distributed computation. Communications of the ACM, 25(3):172–180, March 1982.CrossRefGoogle Scholar
  22. [22]
    J. M. Smith and C. B. S. Traw. Giving applications access to Gb/s networking. IEEE Network, 7(4):44–52, July 1993.CrossRefGoogle Scholar
  23. [23]
    D. Tennenhouse, J. Smith, W. Sincoskie, D. Wetherall, and G. Minden. A survey of active network research. IEEE Communications Magazine, pages 80–86, January 1997.Google Scholar
  24. [24]
    D. Wetherall. Active network vision and reality: Lessons from a capsule-based system. In Proceedings of the 17th ACM Symposium on Operating System Principles (SOSP), pages 64–79, December 1999.Google Scholar
  25. [25]
    C. Yarvin, R. Bukowski, and T. Anderson. Anonymous RPC: Low-latency protection in a 64-bit address space. In Proceedings of the 1993 Summer USENIX Conference, June 1993.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Kostas G. Anagnostakis
    • 1
  • Michael Greenwald
    • 1
  • Sotiris Ioannidis
    • 1
  • Stefan Miltchev
    • 1
  1. 1.CIS DepartmentUniversity of PennsylvaniaPhiladelphiaUSA

Personalised recommendations