PF_RING


PF_RING is a new type of network socket that dramatically improves the packet capture speed, and that's characterized by the following properties:

  1. Available for Linux kernels 2.6.X.
  2. New As of version 4.X, PF_RING can be used with vanilla kernels (i.e. no kernel patch required).
  3. New PF_RING-aware drivers for increased packet capture acceleration.
  4. Device driver independent (best results can be achieved using network cards that support NAPI such as the Intel cards)
  5. Kernel-based packet capture and sampling.
  6. Libpcap support (see below) for seamless integration with existing pcap-based applications.
  7. Ability to specify hundred of header filters in addition to BPF.
  8. Content inspection, so that only packets matching the payload filter are passed.
  9. PF_RING plugins for advanced packet parsing and content filtering.
  10. Ability to work in transparent mode (i.e. the packets are also forwarded to upperlinks so existing applications will work as usual).
  11. New TNAPI support for wire-speed packet capture

If you want to know about PF_RING internals you have two options. Either read the papers:

or have a look at the source code.

 

Who needs PF_RING?


Basically everyone who has to handle many packets per second. The term 'many' changes according to the hardware you use for traffic analysis. It can range from 20k pkt/sec on a i486, to 500k pkt/sec on a Pentium IV. PF_RING not only enables you to capture packets faster, it also captures packets more efficiently preserving CPU cycles. Just to give you some figures you can see how fast nProbe, a NetFlow v5/v9 probe, can go using PF_RING, or have a look at the table below.

All tests have been performed using a Core2Duo 1.86 GHz, Ubuntu Server 9.10 (kernel 2.6.31-14), and an IXIA 400 traffic generator injecting traffic at wire rate (64 byte packets, 1.48 Mpps). As of PF_RING 4.1, when inserting the pf_ring module it is possible to specify three operational modes: