Improving Passive Packet Capture : Beyond Device Polling
•Descargar como PPT, PDF•
0 recomendaciones•950 vistas
The document discusses improving passive packet capture performance beyond device polling. It proposes a "Socket Ring" approach using PF_RING to create a ring buffer on the network interface card driver. This allows captured packets to bypass the kernel and be directly accessed by userspace applications via memory mapping, improving performance over traditional approaches. Experimental results found the PF_RING approach captured packets much faster than Linux's standard approach, especially for medium and large packets, though some packets were still lost. The approach requires a real-time kernel patch and performance is ultimately limited by network drivers and how the kernel fetches packets.
![Background (1) ,[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (16)
Destacado
Similar a Improving Passive Packet Capture : Beyond Device Polling
Similar a Improving Passive Packet Capture : Beyond Device Polling (20)
Último
Último (20)
Improving Passive Packet Capture : Beyond Device Polling
- 1. Improving Passive Packet Capture : Beyond Device Polling presented by: Hargyo Tri Nugroho Computer Network & System Research Lab. Chung Yuan Christian University – Taiwan, ROC Luca Deri
- 5. Ring Buffer on NIC Driver Tested on Intel Gigabit NIC The original Intel code is available at http://sourceforge.net/projects/e1000/.
- 7. Socket Ring (PF_RING Scheme)
Notas del editor
- libpcap-mmap reduced the time spent moving the packet from the kernel to userspace but has not improved at all the journey of the packet from the adapter to kernel Linux spends most of its time moving packets from the network card to the kernel and very litle from kernel to userspace netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
- Whenever a packet is received from the adapter (usually via DMA, direct memory access), the driver passes the packet to upper layers (on linux this is implemented by the netif_receive_skb and netif_rx functions depending whether polling is enabled or not). In case the PF_RING socket, every incoming packet is copied into the socket ring or discarded if necessary (e.g in case of sampling when the specified sample rate has not been satisfied). If the buffer is full, the packet is discarded. Received packets for adapters with bounded PF_RING sockets, by default are not forwarded to upper layers but they are discarded after they have been copied into the rings. This practise increases the overall performance, as packets do not need to be handled by upper layers but only by the ring. The socket ring buffer is exported to userspace applications via mmap Userspace applications that want to access the buffer need to open the file, then call mmap() on it in order to obtain a pointer to the circular buffer. The kernel copies packets into the ring and moves the write pointer. Userspace apps do the same with the read pointer New incoming pacets overwrite packets that have been read by userspace apps. Memor is not allocated / deallocated by packets read/written to the buffer, but it is simply overwritten. The buffer length and bucket size is fully user configurable and it is the same for all sockets.