Load Balancing using Flow Abstraction Interface

Configuration for Load Balancing

SF-TAP flow abstractor provides a load balancing mechanism for application-level analyzers by using the flow abstraction interfaces. The flow abstraction interface can be divided into multiple interfaces by specifying the ‘balance’ field in the configuration file as follows.

http:
  up:      '^[-a-zA-Z]+ .+ HTTP/1\.(0\r?\n|1\r?\n([-a-zA-Z]+: .+\r?\n)+)'
  down:    '^HTTP/1\.[01] [1-9][0-9]{2} .+\r?\n'
  proto:   TCP
  if:      http
  format:  text
  body:    yes
  nice:    100
  balance: 4 # flows are balanced by 4 interfaces, must be power of 2

In this case, 4 HTTP interfaces are provided for HTTP protocol as follows.

$ ls /tmp/sf-tap/tcp
/tmp/sf-tap/tcp/http0=      /tmp/sf-tap/tcp/http2=
/tmp/sf-tap/tcp/http1=      /tmp/sf-tap/tcp/http3=

Effect of Multiple Processes

Thus, an HTTP analyzer can take advantage of multiple CPU cores by connecting load balancing interfaces as follows.

$ python3 http/sftap_http.py /tmp/sf-tap/tcp/http0

$ python3 http/sftap_http.py /tmp/sf-tap/tcp/http1

$ python3 http/sftap_http.py /tmp/sf-tap/tcp/http2

$ python3 http/sftap_http.py /tmp/sf-tap/tcp/http3

Following graphs show CPU loads of the HTTP analyzer with 1, 2, and 4 processes when generating 2500 HTTP requests per second. The analyzer could not handle the requests with 1 single process, but it could handle the requests with 2 or 4 processes.