PF_RING

Many PF_RING users know that for avoid patching the Linux kernel, as of PF_RING 4.x packets are received though NAPI. This means that the packet journey is the same used in standard Linux, thus the performance improvement with respect to vanilla Linux is minimal (< 5%) although PF_RING allows to do many more things than the standard AF_PACKET. In order to boost performance PF_RING supports a parameter named transparent_mode that can be used when the module is loaded into the kernel as follows insmod pf_ring.ko transparent_mode=X where X can either …

Some users are exploiting PF_RING acceleration to improve popular IDS/IPS applications such as Snort and Suricata. Suricata leveraged PF_RING since day one thanks to Will Metcalf, whereas I have added (again together with Will) support in snort using the DAQ library part of the 2.9 version. Acceleration does not mean just improved packet capture, but also the ability to fully exploit multicore architectures by spreading packets across multiple application instances. This is a unique feature that can’t be found in pcap-based libraries. This is an excerpt from the snort-users mailing …

Those who are interested in hearing about high-speed packet capture and filtering and to monitoring in general, can show up at the next RIPE 61 meeting that till take place in Rome (15-19 November). I will be speaking about hardware packet filtering using commodity adapters and how this work can be used in real life, ranging from ntop/nProbe to snort and network troubleshooting. …

As of PF_RING 4.5.x, the user-space tools part of PF_RING have been enhanced with native snort support. As of version 2.9, snort sits on top of a library called DAQ (Data Acquisition library) that creates a transparent layer between snort and the packet capture modules. PF_RING is now a first class citizen in DAQ, as in PF_RING/userland/snort you can find the PF_RING DAQ module. This modules not only allows snort to take advantage of PF_RING acceleration, but it allows to offload to PF_RING some of its processing tasks. For instance …

Over the past couple of years, PF_RING has been enhanced to exploit innovations in computer hardware. In particular the availability of multicore systems and efficient controllers such as those introduced by Intel with the i7 family (in particular Nehelem and Sandy Bridge) has allowed applications to spread their load across all available processors (24 cores in dual-CPU Westmere systems). In addition to this, modern 82599-based 10 Gbit network adapters feature hardware-based packet filtering and prioritization across RX queues, have opened up a whole world of opportunities. For this reason in …

Sometimes people ask me a tutorial about PF_RING. Last year I have given a tutorial about it at the IM 2009 conference. I think that everyone interested in using PF_RING for going beyond packet capture acceleration should read this set of slides I used for the tutorial. Today the cost of packet capture is limited with respect to packet analysis. For this reason you should use PF_RING as a framework for creating simple yet powerful traffic monitoring applications. …

Below you can find an installation guide for PF_RING written by Gunjan Bansal. The original blog entry can be found at this URL. ————- Hi, This is my first guide so please bear with me for any disrespencies. These steps were tested on Intel Core 2 Duo machine with 4 GB Ram and  Intel(R) PRO/1000 Network Card , with Ubuntu 9.10 installed.This guide explains the installation procedure for Version 4.3.1 PF_RING implementation by Luca Deri is a great method for efficient Packet Capture on Commodity Hardware.It can be found on …

This is to announce the availability of PF_RING DNA (Direct NIC Access) that significantly increments performance (up to 80%) when compared with Linux packet capture and PF_RING (non DNA). PF_RING is polling packets from NICs by means of Linux NAPI. This means that NAPI copies packets from the NIC to the PF_RING circular buffer, and then the userland application reads packets from ring. In this scenario, there are two pollers, both the application and NAPI and this results in CPU cycles used for this polling; the advantage is that PF_RING …

Suricata is the next generation open source IDS/IPS developed byt the Open Information Security Foundation. It is a pleasure to announce that ntop has joined the core development team as the Linux version of Suricata is based on acceleration provided by PF_RING. In the near future PF_RING will be extended so that it can also accelerate packet transmission in order to move the Suricata IPS performance to the next level. More information can be found here. …