Network monitoring projects

The Fairly Fast Packet Filter

The fairly fast packet filter (FFPF) is an approach to network packet processing that adds many new features to existing filtering solutions like BPF. FFPF is designed for high speed by pushing computationally intensive tasks to the kernel (or even network processor) and by minimising packet copying. By providing both a richer programming language and explicit extensibility, it is also considerably more flexible than existing approaches. FFPF provides a complete solution for network monitoring that caters to all applications available today. Using its extensibility, the language can even be used as a meta-filter to `script' together filters from other approaches, such as BPF.

Since FFPF has been completely rewritten and extended beyond recognition, it has been renamed Streamline. It now offers support for Streams (e.g., TCP flows), transmission, storage, etc.

A paper about FFPF was published in the proceedings of OSDI'04 (San Francisco, December 2004). See the publications page for more FFPF papers and technical reports.

Streamline/FFPF code and documentation can be found at the Streamline/FFPF site.

CardGuard

CardGuard is a network intrusion detection/prevention system implemented on a single IXP1200 network card. It works on reconstructed TCP streams as well as individual UDP packets and scans all traffic for the occurrence of up to thousands of intrusion signatures. CardGuard can be used to protect a single host, or a small cluster of machines attached to a switch, and supports full fast Ethernet rates. An advantage of the system is that no precious cycles on the hosts are spent on scanning network traffic for viruses and worms.

  • A paper about CardGuard:
  • Here is a technical report about an older version of the system (much less advanced).

    Other monitoring projects

    Information about other projects like (SCAMPI, LOBSTER, etc.) is available from my website.