Scap: stream-oriented network traffic capture and analysis for high-speed networks

Many network monitoring applications must analyze traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. However, existing network traffic capture frameworks provide applications with just raw packets, and leave complex operations like flow tracking and TCP stream reassembly to application developers. This gap leads to increased application complexity, longer development time, and most importantly, reduced performance due to excessive data copies between the packet capture subsystem and the stream processing module. This paper presents the Stream capture library (Scap), a network monitoring framework built from the ground up for stream-oriented traffic processing. Based on a kernel module that directly handles flow tracking and TCP stream reassembly, Scap delivers to user-level applications flow-level statistics and reassembled streams by minimizing data movement operations and discarding uninteresting traffic at early stages, while it inherently supports parallel processing on multi-core architectures, and uses advanced capabilities of modern network cards. Our experimental evaluation shows that Scap can capture all streams for traffic rates two times higher than other stream reassembly libraries, and can process more than five times higher traffic loads when eight cores are used for parallel stream processing in a pattern matching application.