Improvement of libpcap for lossless packet capturing in Linux using PF_RING kernel patch
Oct 08, 2009, 07:34 (0 Talkback[s])
(Other stories by Joseph Gasparakis, James Chapman)
WEBINAR: On-demand webcast
How to Boost Database Development Productivity on Linux, Docker, and Kubernetes with Microsoft SQL Server 2017 REGISTER >
"These applications can be network analyzers (also known as
network monitors) or an intrusion prevention/detection system. Such
common open source applications are tcpdump , snort ,
wireshark  (previously known as ethereal) , ntop  etc.
"As the packet propagates from Network Interface Controller
(NIC) to the kernel and then to the userspace application, it
creates some overhead. Under heavy traffic conditions the
percentage of the captured packets over the total number can
"The size of the frame does play a significant factor, as the
smaller the packet size the higher the negative impact in the
packet capture percentage. The reason for this is that for same
throughput the amount of smaller packets is greater then for bigger
packet sizes, having as result more need for processing power.
"In this article we will describe how one can improve lossless
network packet capturing with libpcap by using the PF_RING kernel
patch. Libpcap is one of the more vastly open source library for
packet capturing and uses by default PF_PACKET protocol in order to
transfer the packets from the driver to the userspace."