2009 International Conference on Future Computer and Communication
Web-based Portable Network Traffic Monitoring System based on Embedded Linux and SBC Mostafijur Rahman, Zahereel Ishwar Abdul Khalib, R. B. Ahmad, Salina Mohd Asi School of Computer and Communication Engineering, Universiti Malaysia Perlis, P.O. Box 77, d/a Pejabat Pos Besar, 01007 Kangar, Perlis. Email :
[email protected]
development tools in their web site[2]. The features of TSLinux includes, Glibc (V 2.2.5), Kernel (V 2.4.23), Apache web server with PHP, Telnet server and client, FTP server and client, BASH, and other basic utilities, which total up to footprint less than 18 MB. The Technologic Systems (TS) provides Single Board Computer with TSLinux operating system (OS). The model TS-5400 is a compact, full-featured PC compatible Single Board Computer based on the AMD Elan520 processor at 133 MHz, 16MB SDRAM, 2MB onboard Flash, dual 10/100 Ethernet, 3 COM ports, 1 Compact Flash socket, 24 DIO, DiskOnChip support, Matrix Keypad and text LCD support have been used in this research. The other features of TS-5400 are it is fanless with temperature range -20° to +70°C and power requirement 5V DC @ 800 mA ; and the dimension is 4.1" X 5.4"[3]. The proliferation of the internet has increased the pace of network expansions. At this age of big and complex networks, network monitoring applications need to use effective ways of checking the status of their networks so that network management applications can fully control their network and provide economical and high-quality networking services to the users. The basic goals of network monitoring are performance, fault and accounting monitoring.[4] By knowing these goals, network monitoring application can choose among network monitoring techniques that will best help to monitor the networks. This paper describes the design, implementation of a web-based and portable network traffic monitoring and protocol analysis tool on an embedded Linux platform based on SBC. This paper also shows how the embedded Linux could cope with the limitations inherent in a low-end embedded platform in producing reliable network traffic monitoring and protocol analysis tool. The system has been designed to capture packets information from the network and perform statistical analysis. These data are then stored into log files. The network traffic information can be seen through a web browser or onboard LCD panel. The statistical analysis provides, amount of data on the volume and types of traffic transferred within a LAN, traffic generated per node, number of traffic is going through or coming from a system or application
Abstract- This paper describes the design and implementation of a web-based portable network traffic monitoring system (PNtMS) on an embedded linux platform, based on single board computer (SBC). The functionality of the monitoring system constitutes processing of TCP/IP network traffic in respect of network protocol analysis and traffic monitoring. The structural breakdown of this system can be generically segregated into three parts which can be mapped into different layers of the operating system. This monitoring system is designed to capture network packets information and performed statistical analysis. The analyzed data are then stored into log files that can be shown through a web browser and onboard LCD panel, which are mounted on the SBC. Results show that, the low-end embedded Linux platform is fit to produce reliable web-based network traffic monitoring system.
Keywords- Embedded Linux; Single Board Computer; Network Traffic Monitoring. I.
INTRODUCTION
To the exponential increase in hardware technology described by Moore’s law, there is an analogous exponential growth in embedded software [1]. So, programmers are focusing more and more on to develop software on embedded system to make it portable and platform independent. In the same way, because of the resource limitation in terms of processing power, memory, and power consumption, this network traffic monitoring and protocol analysis tool has been developed to make efficient use of the limited resources. Linux is an open-source operating system that can be downloaded, modified, and maintained for embedded application. In fact, commercial Linux support is appearing throughout the embedded industry. Vendors of bus modules and single-board computers now offer Linux preconfigured with their products. TSLinux is custom made to be used on a Technologic System's Single Board Computer, and is unsupported in any other use [2]. It is an open source project and compact distribution based on GPL and GPL like licensed applications and was developed from “Linux From Scratch” and Mandrake. The current version of TSLinux is 3.07a. For development, TSLinux provider provides
978-0-7695-3591-3/09 $25.00 © 2009 IEEE DOI 10.1109/ICFCC.2009.14
310
which is causing bottleneck, and the level of peak traffic. II. WORKING OF THE DESIGN Embedded systems are usually resource limited in terms of processing power, memory, and power consumption. Because of these limitations architectural design is made carefully to adapt the embedded system. The architectural design of this network traffic monitoring system is shown in Figure 1. The structural breakdown of this software is generically segregated into three parts. They are probe, analysis and view. The ‘probe’ part is on the target system. In this design the packet header information from network adapter are directly received in the user buffer for analysis. This happen on the probe part, which has to do with capture all incoming packets from the Network. This part operates at the network layer and captures packets header information physically through the Network Interface Card (NIC). The working steps of the probe part are shown in the Figure 2. First step of the probe part is to allocate available capture device. If more NIC are connected with internet, the first NIC (Eth0) is allocated as a capture device. It is also possible to set another NIC for packet capture. In this part the capture device collects the network address and net mask to set the capture mode. The next step is use to set, compile and apply packet filter type. The packet filter type can be only TCP, only IP, only UDP, or all of types. Then the allocation of memory is done for the packet buffer. After that the packets capture starts and process according to the packet header information.
Figure 2. Flowchart of Probe module For further use all of the processed data is stored into a data buffer. After a while analyzer analyzes all captured data. In the analysis part, the available hosts are selected and updated their information. Then the selected host’s information is sorted according to capture bytes. After analyze all global traffic and hosts traffic information is saved into several files for monitoring using web browser. Again some statistical data are shown through LCD panel mounted on the embedded platform. III. IMPLEMENTATION A. Implementation of Probe Module The Packet Capture library provides both high and low level interfaces to the packet capturing system. All packets on the network are accessible through this libray mechanism [6]. Libpcap is one of them. Libpcap provides functions for user-level packet capture, used in low-level network monitoring [7]. It is the main component from the programmer’s perspective because it hides the interaction between the application and the kernel. It exports a set of functions that can be linked to the user’s application and provides powerful and abstract interface to the capturing process. It includes the filter generation, the management of the user-level buffer as well as the interaction between kernel and user mode. The user-level buffer is used to store packets coming from the kernel and, being at user level. It prevents the application from accessing kernel-managed memory. Functions provided by libpcap are available only for capturing purpose, this library does not support sending packets or monitoring the network[8]. In the packet capture process each packet is stored into C language defined structure. B. Implementation of Analyzer Module
Figure 1. Architectural design of PNtMS
The probe part extracts each packet header information and stores into data buffer for further analysis. After a while analyzer analysis all captured data. This part is devided into two portion. The first
311
according to the selection option and displays internet traffic information. Figure 3 displays the all information selection option page. The real traffic information indicates the information within the time interval which is inputed from the keypad. In this option global network traffic and all hosts information are shown. The host information are sorted at a descending order according to the capture bytes. The long-term information indicates the previous information. Basically, these are the information provided on the web browser which is minimally sufficient information for the network administrator to analyze the network. Figure 4 shows the SBC’s system status, by which administrator can easily identify some common error on the SBC.
one is to find available host from the captured packet information and update their information. The second portion is to sort all host information in descending order according to their captured bytes. Then all host information is stored in some files for viewing. Some mathematical calculation and process have been done in this part. The calculations are given below: i) Each packet capture time: StartTime(Micro Second) PacketCaptureFunction() EndTime(Micro Second) Time = EndTime – StartTime
(Microsecond)
ii) Total data transfer: n ∑ Cbytes (Bytes) i=0 Where, n is the number of captured packets and Cbytes is the each captured packet length iii) Average Packet Size: Total captured packet length / No. of packets iv) Data Transfer Rate: ( Total captured packet length(Bytes) * 8 ) / (Capture Time Duration * 1000) (Kbps) The other calculations are done at packet process time. In this part the peak traffic information also can be grabbed from the expected packet capture rate (input from keypad) and current packet capture rate.
Figure 3. Web-based traffic statistics menu
C. Implementation of Viewer Module The viewer part is also called user interface part. This part contains two view options, one is LCD panel (2x24 or 48 characters display) and another is web based. The LCD panel is used to show the program and system control options. A Keypad (4x4 matrix) is used to control the whole system. It is used to start or stop the analysis process. It is also possible to restart and shutdown the SBC through the keypad. The web uniform resource locator (URL) address can be shown using the LCD panel, by which the real traffic information can be displayed. The SBC’s system information (such as, IP address, primary and secondary menory usage, and system running time) can be shown on LCD panel. The traffic status alarm such as peak or non-peak traffic mode can be displayed into LCD. Linux shell script program has been written to manipulate program and system control. The other viewer part of the PNtMS has been implemented using PHP and HTML. Both viewer part are embedded into TSLinux OS on TS5400. The analyzer part analyzes packets information and stores into some files according to HTML format. The PHP script reads all of the files
Figure 4. Web-based SBC information menu. IV. RESULT AND DISSCUSSION It was expected that the final implementation of this monitoring system will be inside the TS-5400 SBC. From the implementation we can see according to the architechture performance and memory size the monitoring system is successfully implemented. Figure 5 shows the complete implemention setup of the network traffic monitoring system combine with the SBC components. Table 1 shows the available memory into the TS-5400 SBC. The synthesis results is shown in Table 2, where at the program execution time the SBC showing the average CPU usage
312
This paper has been introduced the protocol analysis, monitoring system design and implementation with performance analysis on embedded linux platform. The SBC has been utilized to capture and analyze network packets information has made the idea of portable network traffic analyzer a success. Currently the major protocols in the TCP/IP protocol suit and also multicast traffic can be characterized by this monitoring system. PNtMS has been equipped with the major well known ports, and hence it can organized some major services carried over both the TCP and the UDP transmission. This puts PNtMS in the position to analyze network traffic and be able to give valuable information of a network.
0.725% , primary memory usage 4.175% and analysis time 8.916 miliseconds at 15351 packets. From the Figure 6 shows the raise of packet capture rate is increased the analysis time by analyzer. Eventhough the analysis time calculation is in milisecond , the analyzer taking very small amount of time for analysis. From the viewer part it can be easily shown which machine generating the most traffic on a segment and in this way discover whether the segment is peaked traffic or not and who is causing bottleneck. Popular services can also be seen and so help the administrator balance server loads. Besides, this can be helped to discover any machines that are not registered on a particular segment, this point can be a great security importance.
REFERENCE [1] P. Raghavan, Amol Lad, Sriram Neelakandan, “Embedded Linux system design and development”, Auerbach Publications, New York, 2006. [2] Linux Developer’s Manual http://www.embeddedarm.com [3] Technologies Systems , PC/104 Single Board Computers and Peripherals for Embedded Systems. http://www.embeddedarm.com/products/boarddetail.php?product=TS-5400 [4] William Stallings, "SNMP, SNMPv2, and RMON Practical Network Management, Second Edition" Addison-Wesley Professional Computing and Engineering 1996. [5] Xuejian Luan, Jing Ying, Minghui Wu, "A Heterogeneous Evolutional Architecture for Embedded Software," cit,pp.901-905, Fifth International Conference on Computer and Information Technology (CIT'05), 2005 [6] http://www.tcpdump.org/pcap3_man.html [7] http://www.linuxfromscratch.org/blfs/view/svn/ basicnet/libpcap.html [8] Fulvio Risso and Loris Degioanni, “An Architecture for High Performance Network Analysis”, Proceedings of the Sixth IEEE Symposium on Computers and Communications, july 03-05, 2001, pp. 686-693.
Figure 5. Complete setup of PNtMS components Table 1. Memory Status of TS-5400 Name of the module Resources Total RAM size 16384 KB Already used by OS 15806 KB Available RAM space 578KB Total CF size 1024 MB Already used by OS 159 MB Available CF space 865 MB Table 2. Performance at program execution time Technology TS-5400 Speed in MHz 133 Execution Type Sequential Avg. CPU Usage (%) 0.725 Avg. RAM Usage (%) 4.175 Avg. Analysis Time
8.961 ms
Figure 6. Packets analysis time by analyzer. V. CONCLUSION
313
