Packet capture is a mechanism that copies packets received from the
network and pushes them into user space making the frame available to
an application for further analysis.
These applications can be network analyzers (also known as network
monitors) or an intrusion prevention/detection system. Such common open
source applications are tcpdump , snort , wireshark 
(previously known as ethereal) , ntop  etc.
As the packet propagates from Network Interface Controller (NIC) to
the kernel and then to the userspace application, it creates some
overhead. Under heavy traffic conditions the percentage of the captured
packets over the total number can decrease.
The size of the frame does play a significant factor, as the smaller
the packet size the higher the negative impact in the packet capture
percentage. The reason for this is that for same throughput the amount
of smaller packets is greater then for bigger packet sizes, having as
result more need for processing power.
In this article we will describe how one can improve lossless
network packet capturing with libpcap by using the PF_RING kernel
patch. Libpcap is one of the more vastly open source library for
packet capturing and uses by default PF_PACKET protocol in order to
transfer the packets from the driver to the userspace.
It is the de facto library that facilitates the packet transition
from kernel onto the userspace is libpcap. It provides an API for the
programmer to select the capturing interface (device) and gives the
ability to compile Linux Packet Filters (LPF) into the kernel for
selective packet capturing based on the 5 tuple (protocol,
source/destination IP address and source/destination port).
PF_RING is a replacement for PF_PACKET that not only uses memory
mapping instead of processing expensive buffer copies from kernel space
to userspace, but it also uses ring buffers making to transportation in
a more efficient way.
In this article we will also describe an installation guide and a
comparison of the libpcap, tested for lossless packet capturing with
and without the PF_RING applied.
We will show that for 64 byte packets there was a 17.01%
improvement, for 128 byte packets 3.49%, for 256 byte packets 57.82,
for 512 byte packets 20.14%, for 1024 byte packets 19.19% and finally
for 1518 byte packets, the improvement was 11.15%.
These improvements reveal ability for the existing hardware to allow
lossless packet capture at higher data speed rates making more
efficient open source IDS and IPS systems that use libpcap. Also any
other applications such as protocol analyzers that use libpcap can work
Optimization using PF_RING
PF_RING is a mechanism conceived by Luca Deri  for accelerating
libpcap. It comprises of a kernel patch and a modified libpcap. This
modified libpcap provides exactly the same API to the user but
underneath it is using the ring buffers provided by the kernel patch to
read packets. The patch copies the packets into the ring straight from
the driver. Figure 1 below shows the architecture of PF_RING.
1 - PF_RING and legacy architecture
Obtaining the PF_RING Source
PF_RING can be obtained using subversion :
The PF_RING package must be moved to /usr/src/kernels/ and the
PF_RING environment variable needs to point to that directory. The
mkpatch.sh file needs to be edited in order for the kernel version to
be specified. Here is an example for the 2.6.24 kernel:
When the above script gets executed it will automatically download
the specified kernel source and apply the PF_RING patch. A new
directory with the specified and patched kernel will be available.
The specifier "PF_RING" will appear at the end of the kernel
version. For the example of the 2.6.24 kernel, the directory
/usr/src/kernels/ the directory $PF_RING/workspace/linux-2.6.24PF_RING
will be created.