PF_RING
PF_RING is a new type of network socket that dramatically improves the packet capture speed, and that's characterized by the following properties:
- Available for Linux kernels 2.4.X and 2.6.X
- Device driver independent (best results can be achieved using network cards that support NAPI such as the Intel cards)
- Kernel-based packet capture and sampling.
- Libpcap support (see below) for seamless integration with existing pcap-based applications.
- Ability to specify hundred of header filters in addition to BPF.
- Content inspection, so that only packets matching the payload filter are passed.
- New PF_RING plugins for advanced packet parsing and content filtering.
- Ability to work in transparent mode (i.e. the packets are also forwarded to upperlinks so existing applications will work as usual).
If you want to know about PF_RING internals you have two options. Either read the papers:
or have a look at the source code.
Who needs PF_RING?
Basically everyone who has to handle many packets per second. The term 'many' changes according to the hardware you use for traffic analysis. It can range from 20k pkt/sec on a i486, to 500k pkt/sec on a Pentium IV. PF_RING not only enables you to capture packets faster, it also captures packets more efficiently preserving CPU cycles. Just to give you some figures you can see how fast nProbe, a NetFlow v5/v9 probe, can go using PF_RING.
Availability
PF_RING is available under the GPL licence. You can download it using SVN:
- mkdir my_pf_ring_goes_here
- cd my_pf_ring_goes_here
- svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
How to build and use PF_RING
Have a look at the PF_RING user's guide.
Credits