“These applications can be network analyzers (also known as
network monitors) or an intrusion prevention/detection system. Such
common open source applications are tcpdump [1], snort [2],
wireshark [3] (previously known as ethereal) , ntop [4] etc.“As the packet propagates from Network Interface Controller
(NIC) to the kernel and then to the userspace application, it
creates some overhead. Under heavy traffic conditions the
percentage of the captured packets over the total number can
decrease.“The size of the frame does play a significant factor, as the
smaller the packet size the higher the negative impact in the
packet capture percentage. The reason for this is that for same
throughput the amount of smaller packets is greater then for bigger
packet sizes, having as result more need for processing power.“In this article we will describe how one can improve lossless
network packet capturing with libpcap by using the PF_RING kernel
patch. Libpcap[1] is one of the more vastly open source library for
packet capturing and uses by default PF_PACKET protocol in order to
transfer the packets from the driver to the userspace.”
Improvement of libpcap for lossless packet capturing in Linux using PF_RING kernel patch
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis