MAGNeT consists of both Linux kernel modifications and user application programs. In order to accurately mark events occurring throughout the protocol stack, MAGNeT must exist within the kernel; that is, there must be hooks in the protocol stack code to allow MAGNeT to record events at certain points. Running in the kernel also has the advantage of being able to acquire application traffic patterns with unmodified applications (e.g., there is no need to re-compile or re-link against a special instrumented network library). However, in order to provide the maximum amount of flexibility in data acquisition and processing, the ability to start and end traffic monitoring should be controlled by the user. Therefore, when MAGNeT collects data in the kernel, the data is placed in a special memory region to be read and used by a separate user-application program.
The dataflow in a system running MAGNeT is shown in Figure 1. Unmodified applications run as normal on the host system, periodically making use of the network communication routines in the kernel (such as the send() and recv() system calls). These kernel routines, in turn, make use of TCP, IP, or other network protocols to transfer data on the network. Under MAGNeT, each time a network-stack event (e.g., send(), entering TCP, entering IP, etc.) occurs in the kernel, the function magnet_add() is also called by the kernel. This procedure saves relevant data to a circular buffer in kernel space, which is then saved to disk by an user-level application program (magnet-read is provided with the MAGNeT distribution for this purpose but could easily be replaced by a more sophisticated application).
![\includegraphics[width=0.8\figwidth]{magnet-overview3.eps}](img1.png)