Breaking News
Design How-To

Improvement of libpcap for lossless packet capturing in Linux using PF_RING kernel patch

NO RATINGS
Page 1 / 3 Next >
More Related Links
View Comments: Newest First | Oldest First | Threaded View
chrisloyel
User Rank
Rookie
re: Improvement of libpcap for lossless packet capturing in Linux using PF_RING kernel patch
chrisloyel   5/23/2012 5:01:14 PM
NO RATINGS
hai there..i want to ask, what can we do with PF_RING kernel patch in addition to improvment packet lossless..???

Joseph Gasparakis
User Rank
Rookie
re: Improvement of libpcap for lossless packet capturing in Linux using PF_RING kernel patch
Joseph Gasparakis   10/9/2009 3:38:11 PM
NO RATINGS
Hi CapnKernel (and other readers) Thank you for your comment. You are right, using mmap is an improvement for pushing packets up into userspace as you avoid the expensive buffer copies and then using the libpcap_mmap you can incorporate the benefits into any packet processing application that relies on libpcap. Since you are happy with the performance (and maybe other readers would be just like you) libpcap_mmap is giving to you that is fine, however we have seen PF_RING giving generally better performance if you can afford to have a patched kernel. In two words: It all depends on how much performance boost you need and if you want a patched kernel.

CapnKernel
User Rank
Rookie
re: Improvement of libpcap for lossless packet capturing in Linux using PF_RING kernel patch
CapnKernel   10/8/2009 7:03:44 AM
NO RATINGS
(Note to readers: Some of the example code above is a bit whacked, for example, '/pfcount "v "I ethX'). Things like PF_RING are necessary because the existing Linux packet capture mechanism is horribly inefficient, requiring two system calls and memory copying for every captured packet. With such a losesome design, it's no wonder packets get dropped. I recently went through this exercise with a 3G wireless modem. We were experiencing packet loss on capture of about 20%, although the actual TCP performance was fine. I tried PF_RING but had problems: http://lists.ntop.org/pipermail/ntop/2009-September/014992.html I also had a problem that with the PF_RING libpcap, I could only capture *USB* packets from the USB 3G modem, not ethernet frames: http://lists.ntop.org/pipermail/ntop/2009-September/014994.html Nobody on the ntop (home of PF_RING) mailing list had any answers for me. I also found that when capturing from a PCI ethernet card, packet loss was much reduced, but was not zero. In digging around, I found an alternative approach: A kernel option called "CONFIG_PACKET_MMAP", which has been part of the stock Linux kernel for five years: http://lxr.linux.no/linux/Documentation/networking/packet_mmap.txt On our OS (Fedora) this option is already turned on, so if you go the CONFIG_PACKET_MMAP route, there will be no kernel patching, and you may not need to recompile and deploy a new kernel. That's a win. The stock libpcap, however, does not support CONFIG_PACKET_MMAP. You can download a version that does from here: http://public.lanl.gov/cpw/ Building this libpcap is similar to in the article. Using CONFIG_PACKET_MMAP, we were able to achieve 0% captured packet loss on our Fedora boxes, with no need to roll out a new kernel. I have also tested it on gigabit ethernet, and I can capture with 0% loss. I'm not trying to say one option is better than another, but it's good to have a choice, and for me, CONFIG_PACKET_MMAP worked better.

Flash Poll
Radio
LATEST ARCHIVED BROADCAST
EE Times editor Junko Yoshida grills two executives --Rick Walker, senior product marketing manager for IoT and home automation for CSR, and Jim Reich, CTO and co-founder at Palatehome.
Like Us on Facebook

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EE Times on Twitter
EE Times Twitter Feed
Top Comments of the Week