Virtual PF_RING™ (EOL)

Gigabit Ethernet (and above) Line-Rate Packet Capture on Virtual Machines

vPF_RING (Virtual PF_RING™) extends the operating system-bypass approach followed by PF_RING™ to the context of virtual environments implementing an hypervisor-bypass approach. This means that it is now possible to capture packets directly, in zero-copy fashion, without the involvement of the hypervisor. vPF_RING can do this by creating a mapping between the host kernel-space and the guest user-space, allowing packets to follow a straight path from the NIC to the monitoring applications running on VMs.

The approach followed by vPF_RING dramatically improves performance, which are close to native under most circumstances, while current virtualization approaches have proven ill suited to be used with network monitoring applications when wire-rate packet capture is required.

Since almost all recent processors take advantage of virtualization extensions which allow the guest code to be executed natively, by removing bottlenecks in packet capture it is possible to collapse the gap between performance achieved by virtualized network monitoring applications running on VMs and performance achieved by applications running natively.

vPF_RING takes advantage of the packet filtering and steering capabilities of PF_RING™, both hardware and software.
An early packet filtering prevents packets from being discarded on the guest OS after they have passed through several layers and wasted precious CPU cycles.

Furthermore, applications running on different VMs are able to analyze the same traffic, or different subsets of it. As packet capture is a costly activity, with this solution it is no more necessary to capture the same packets multiple times, because they are captured once and dispatched to various VMs.

Gigabit Ethernet Packet Capture Percentage

Performance tests performed on an entry-level Intel Xeon demonstrate that vPF_RING grants a 0% packet capture loss for all packet sizes on Gigabit Ethernet links (and above), while preexisting software solutions (such as Virtio-Net, the paravirtualized network driver for KVM) can reach 90% under the same conditions.

vPF_RING, combined with PF_RING™-aware drivers, can do much more, capturing several million packets per second without any packet loss on VMs with a single virtual CPU.

vPF_RING is part of the PF_RING™ distribution since version 5.0. For the User’s Manual visit the Documentation section.

Capture Rate (Line-Rate) > 1 Gigabit/Sec
(depends on hardware configuration)
Supported Cards all*
Host Operating System Linux (kernel 2.6.30 or better)
Guest Operating System Linux
Hypervisor KVM
Traffic Reception included
Traffic Injection Not yet supported

* As vPF_RING is based on vanilla PF_RING™, all cards are supported, but performance can vary according to the NIC driver (it is recommended to use PF_RING™-aware drivers).

Get It