Linux Today: Linux News On Internet Time.

Improvement of libpcap for lossless packet capturing in Linux using PF_RING kernel patch

Oct 08, 2009, 07:34 (0 Talkback[s])
(Other stories by Joseph Gasparakis, James Chapman)

"These applications can be network analyzers (also known as network monitors) or an intrusion prevention/detection system. Such common open source applications are tcpdump [1], snort [2], wireshark [3] (previously known as ethereal) , ntop [4] etc.

"As the packet propagates from Network Interface Controller (NIC) to the kernel and then to the userspace application, it creates some overhead. Under heavy traffic conditions the percentage of the captured packets over the total number can decrease.

"The size of the frame does play a significant factor, as the smaller the packet size the higher the negative impact in the packet capture percentage. The reason for this is that for same throughput the amount of smaller packets is greater then for bigger packet sizes, having as result more need for processing power.

"In this article we will describe how one can improve lossless network packet capturing with libpcap by using the PF_RING kernel patch. Libpcap[1] is one of the more vastly open source library for packet capturing and uses by default PF_PACKET protocol in order to transfer the packets from the driver to the userspace."

Complete Story

Related Stories: