Components

The Probes

The probe program and the central processing server program are binary executables written in C code.

All probes and central collector(s) share a same XML configuration file, associated with a fully commented DTD file. Tag attributes are used for letting the user specify its configuration choices. The configuration file is loaded at startup. When a new version is detected by the distributed trafMon online components, they restart themselves, either immediately, or at the specified stat of validity in the future. This way, an update can be simultaneously taken into account by all concerned probes and collector(s)

In order for the probe to be able to process captured packets at wire speed, the trafMon probe has been designed as a pipeline of two processes linked by a circular buffer implemented in shared memory:

The father process is in charge of inspecting the packets captured at one or more interfaces, without copy from the Linux kernel-resident ring buffer. In order to actually measure the actual flow over the data link, the protocol processing inside the Ethernet card is voluntarily deactivated. The portable libpcap API is however used for permitting the use of the probe on other UNIX derived vanillas. It is possible to heuristically dimension the amount of RAM reserved for the ring buffer in order to avoid saturation upon traffic peaks. The father process also implements a quite efficient way to match the custom defined flow classification that decides for its filtering and the type of required measurements to apply to its flow instance. The Father locks itself on one CPU core, and lets the others to its child, for efficient parallel processing in the pipeline.

The child process keeps the state information about the different flows in progress.

It performs reassembly of datagram fragments, then, according to corresponding flow classes custom directives, it matches pairs of packets constituting a same two-way transaction, to measure its delay; it interprets the TCP segments and acknowledges packets to measure the progress of payload transmission and to identify retransmissions. It analysis the commands and responses exchanges over FTP sessions and matches the associated passive or active FTP data connections, to measure the amount of data transferred.

Each time a new observation is produced, or at end of an aggregation interval for a metric, anew record is added to the corresponding type of protocol data unit (PDU). When a pending trafMon PDU reaches its maximum size, it is spooled to the sender module, at the next time slot available. PDU are then delivered to the collector at regulated rate, and wait until acknowledged or are retried.

Remarkable events are handled the same way as traffic observations.

But, when compiled with its embedded Net-SNMP sub-agent, the probe can also forward them as SNMP notifications. Furthermore, this sub-agent implements a custom read-only MIB permitting a network manager to monitor the behaviour of the distributed trafMon online components.