The Self-Configuring Network Monitor (SCNM) is designed to allow network users to passively monitor their own traffic stream as it traverses the network without requiring special privileges or intervention of by network administrators. A user wishing to monitor a particular stream sends a special request packet through the network between the same two hosts that are the source and destination of the traffic to monitor. A request packet automatically activates monitors along the path. Since the request is sent to the application destination endpoint not the SCNM monitoring host, the user does not need to explicitly know the locations and identities of the SCNM hosts on the path. All the SCNM monitoring hosts listen for these special UDP request packets on a well-known port. Each SCNM host along the data path capture the activation packet as it travel past its interface. The request packet specifies the characteristics of the traffic to monitor including source, destination, and port(s) of the traffic.
The hardware infrastructure for SCNM is designed to be easy to install and administer securely. Figure 1 shows a typical configuration between two application hosts, or end hosts, across a WAN. A read-only tap is placed on the DMZ between the site border router and the ISP router, and the monitoring host, which we call the SCNM monitoring host, is connected to this tap. Since this is a read-only tap, the SCNM machine will not be able to generate any traffic through this interface. The SCNM monitoring host has an additional network interface (usually on an internal network) used for administering the SCNM host and transmitting monitoring output data. The SCNM host runs the FreeBSD operating system and does not by default run any services an sshd can be configured if desired to allow remote maintenance access. The kernel network drivers in a SCNM host are a modified version we have created to allow us to timestamp packets down on the network card and appropriately moderate interrupts to allow the machine to keep up with high traffic rates. SCNM will work with any type of Ethernet, and has been optimized for GigE over fiber. SCNM will also work with bonded GigE.
SCNM has proven to be very useful for debugging network, protocol, and application performance problems. For sample results see Figure 2.
For more details read our "Passive and Active Monitoring Workshop (PAM) 2003 paper on SCNM:
http://www-didc.lbl.gov/papers/SCNM-PAM03.pdf