Toward composable network traffic measurement

As the growth of Internet traffic volume and diversity continues, passive monitoring and data analysis, crucial to the correct operation of networks and the systems that rely on them, has become an increasingly difficult task. We present the design and implementation of Blockmon, a flexible, high performance system for network monitoring and analysis. We present experimental results demonstrating Blockmon's performance, running simple analyses at 10Gb/s line rate on commodity hardware; and compare its performance with that of existing programmable measurement systems, showing significant improvement (as much as twice as fast) especially for small packet sizes. We further demonstrate Blockmon's applicability to measurement and data analysis by implementing and evaluating three sample applications: a flow meter, a TCP SYN flood detector, and a VoIP anomaly-detection system.