PF_RING

PF_RING is a new type of network socket that dramatically improves the packet capture speed, and that's characterized by the following properties:

  1. Available for Linux kernels 2.4.X and 2.6.X
  2. Device driver independent (best results can be achieved using network cards that support NAPI such as the Intel cards)
  3. Kernel-based packet capture and sampling.
  4. Libpcap support (see below) for seamless integration with existing pcap-based applications.
  5. New Ability to specify hundred of header filters in addition to BPF.
  6. New Content inspection, so that only packets matching the pattern are filtered.
  7. Ability to work in transparent mode (i.e. the packets are also forwarded to upperlinks so existing applications will work as usual).

If you want to know about PF_RING internals you have two options. Either read the papers:

or have a look at the source code.

 

Who needs PF_RING?

Basically everyone who has to handle many packets per second. The term 'many' changes according to the hardware you use for traffic analysis. It can range from 20k pkt/sec on a i486, to 500k pkt/sec on a Pentium IV. PF_RING not only enables you to capture packets faster, it also captures packets more efficiently preserving CPU cycles. Just to give you some figures you can see how fast nProbe, a NetFlow v5/v9 probe, can go using PF_RING.

 

Availability

PF_RING is available under the GPL licence. You can download it using SVN: 

    

  • mkdir my_pf_ring_goes_here

  • cd my_pf_ring_goes_here

  • svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/

 

How to Build your PF_RING-enabled Kernel

  1. Download the kernel patch for the kernel you plan to use and the kernel source from kernel.org.
  2. Patch the kernel source code using the PF_RING code you have downloaded.
  3. Configure your kernel. Make sure that PF_RING and the packet filter option is enabled.
  4. Build and install your custom kernel.
  5. Build the libpcap-ring library using the files included in the PF_RING source code.
  6. Build your favourite application (e.g. ntop or tcpdump) using the libpcap-ring. Make sure that at runtime you're using the new libpcap-ring and not the default libpcap.
  7. Enjoy!

 

Credits