PF_RING is a software framework for the Linux operating system that allows you to both increase packet capture speed and reduce the complexity of development of network-based applications. It comes with a feature-rich API that includes facilities such as:
|
• |
In-kernel packet processing by means of software plugins |
|
• |
Packet reordering |
|
• |
High-resolution hardware timestamps |
|
• |
Transparent exploitation of selected network hardware features such as packet filtering and steering (Silicom 10 Gigabit 82599 adapters) |
|
• |
Content inspection of packet payload |
|
• |
Transparent IP fragments reassembly (enabled on demand) |
|
• |
Ability to work in transparent mode with no interference with network operations | Thanks to PF_RING, network operators can accelerate legacy pcap-based network monitoring applications by means of the PF_RING-aware libpcap library.
Application developers can use PF_RING to simplify the development of passive network monitoring applications while providing great performance. PF_RING plugins allow the creation of efficient applications by performing CPU intensive tasks in the Linux kernel by exploiting the PF_RING API without requiring any kernel coding.
For maximum packet capture speed, PF_RING comes with customized drivers for Silicom cards XX, YY (Intel and Broadcom based 1 Gigabit and 10 Gigabit adapters). It includes support of SourceFire DAQ for dramatically accelerating Snort-based application on multicore system.
Typical packet capture performance on a low-end Xeon server (X3450) with PF_RING-aware drivers are ~5 million packets/sec (Silicom 10 Gigabit 82598/99 adapters, 64 bytes packet size), that is more than 200% speedup with respect to Linux packet capture on top of vanilla Linux drivers.
See also DNA for more advanced packet capturing:
DNA
|