Architecture for a hardware-based, TCP/IP content-processing system

The transmission control protocol is the workhorse protocol of the Internet. Most of the data passing through the Internet transits the network using TCP layered atop the Internet protocol (IP). Monitoring, capturing, filtering, and blocking traffic on high-speed Internet links requires the ability to directly process TCP packets in hardware. High-speed network intrusion detection and prevention systems guard against several types of threats. As the gap between network bandwidth and computing power widens, improved microelectronic architectures are needed to monitor and filter network traffic without limiting throughput. To address these issues, we´ve designed a hardware-based TCP/IP content-processing system that supports content scanning and flow blocking for millions of flows at gigabit line rates. The TCP splitter2 technology was previously developed to monitor TCP data streams, sending a consistent byte stream of data to a client application for every TCP data flow passing through the circuit. The content-scanning engine can scan the payload of packets for a set of regular expressions. The new TCP-based content-scanning engine integrates and extends the capabilities of the TCP splitter and the old content-scanning engine. IP packets travel to the TCP processing engine from the lower-layer-protocol wrappers. Hash tables are used to index memory that stores each flow´s state.