Performance on Virtualization Environments with Virtual TAP A

Abstract

ABSTRACT Network traffic monitoring is essential for maintaining the security and performance of software-defined networks (SDNs). It enables administrators to swiftly identify and address issues, optimize network performance, and protect sensitive data from cyber threats. With the increasing prevalence of virtual networks, the need for effective traffic monitoring has grown significantly. However, there is noticeable performance degradation (50% to 70%) when monitoring network traffic in virtual environments. This study investigates the performance reduction associated with virtualized environments using virtual TAPs (Test Access Points) and proposes alternative methods to mitigate this issue. Initially, we utilized the Open vSwitch (OVS) virtual switch and VirtualBox VMs to construct the test network. However, due to inherent bottlenecks in VirtualBox, this approach was unsuccessful. We then built a virtual network using OVS and Docker containers, achieving a network speed between 30 Gbit/s to 35 Gbit/s, which provided a suitable bandwidth for further testing. Our experiments examined the relationship between network traffic and mirror count, revealing no significant impact on network bandwidth. Subsequently, we analyzed network traffic with and without mirroring across various packet sizes, discovering a correlation between packet size and network performance. The most substantial performance drop, approximately 20%, was observed with 1024-byte packets, though this was notably less severe than findings reported by other researchers. Using VTune Profiler and OS/Kernel Profile, we attempted to identify the root cause of the performance drop but were unsuccessful. Further investigation revealed that the physical NIC (Network Interface Card) was a bottleneck, as it struggled to handle mirrored traffic of 20–30 Gbit/s. High-capacity NICs are rare and expensive, prompting us to consider alternative solutions. We propose a preprocessing tool integrated with an OVS-Docker container virtual network setup. This tool filters traffic by source and destination IP addresses and captures packet samples at specified intervals. Additionally, it allows users to input tshark commands directly, providing a flexible and efficient approach to network traffic monitoring.