- Get Started
Gigabit Ethernet (and above) Line-Rate Packet Capture
on Virtual Machines
vPF_RING (Virtual PF_RING) extends the operating system-bypass approach followed by PF_RING to the context of virtual environments implementing an hypervisor-bypass approach. This means that it is now possible to capture packets directly, in zero-copy fashion, without the involvement of the hypervisor. vPF_RING can do this by creating a mapping between the host kernel-space and the guest user-space, allowing packets to follow a straight path from the NIC to the monitoring applications running on VMs.
The approach followed by vPF_RING dramatically improves performance, which are close to native under most circumstances, while current virtualization approaches have proven ill suited to be used with network monitoring applications when wire-rate packet capture is required.
Since almost all recent processors take advantage of virtualization extensions which allow the guest code to be executed natively, by removing bottlenecks in packet capture it is possible to collapse the gap between performance achieved by virtualized network monitoring applications running on VMs and performance achieved by applications running natively.
vPF_RING takes advantage of the packet filtering and steering capabilities of PF_RING, both hardware and software.
An early packet filtering prevents packets from being discarded on the guest OS after they have passed through several layers and wasted precious CPU cycles.
Furthermore, applications running on different VMs are able to analyze the same traffic, or different subsets of it. As packet capture is a costly activity, with this solution it is no more necessary to capture the same packets multiple times, because they are captured once and dispatched to various VMs.
Performance tests performed on an entry-level Intel Xeon demonstrate that vPF_RING grants a 0% packet capture loss for all packet sizes on Gigabit Ethernet links (and above), while preexisting software solutions (such as Virtio-Net, the paravirtualized network driver for KVM) can reach 90% under the same conditions.
vPF_RING, combined with PF_RING-aware drivers, can do much more, capturing several million packets per second without any packet loss on VMs with a single virtual CPU.
For the User’s Manual visit the Documentation section.
vPF_RING is part of the PF_RING distribution since version 5.0. Note that, as our work is self-funded and we need some income in order to continue with our research, we decided to ask a little fee for using the vPF_RING library. For this reason the library requires a per-host (physical machine) unlock code. On the other hand you are free to test it: with no unlock-code the application can work for a few minutes in order to allow you to evaluate it.
* As vPF_RING is based on vanilla PF_RING, all cards are supported, but performance can vary according to the NIC driver (it is recommended to use PF_RING-aware drivers).