PF_RING has been conceived as a kernel ring able to efficiently accommodate incoming network packets and deliver them to packet capture applications. It is a new type of network socket that dramatically improves the packet capture speed, and that's characterized by the following properties:
- Available for Linux kernels 2.4 and 2.6
- Device driver independent (best results can be achieved using network cards that
support accelerated drivers)
- Kernel-based packet capture and sampling.
- Libpcap support (see below) for seamless integration with existing pcap-based applications.
- Ability to work in transparent mode (i.e. the packets are also forwarded to upperlinks so existing applications will work as usual).
Introduced in late 2003, PF_RING 2.x has been succesfully used by thousand of people over the Internet. Now with version 3.x several new features have been introduced:
- Ability to fully exploit the accelerated driver with a performance improvement of 80% over version 2.x.
- Ability to create application clusters: several packet capture applications can decide to create a cluster of PF_RING that share incoming packets. Packet sharing can be done in several ways ranging from simple round robin to smart per-flow sharing. Clusters are created by means of a new libpcap function, leaving all the rest of the code unchanged. The advantage of ring clusters are manyfolds and include:
- Full exploit of multiprocessor (SMP) hosts.
- Enhanced application performance. For instance it is possible to run several NetFlow probes such
as nProbe over a cluster of PF_RINGs for extreme performance at high network speeds.
As with PF_RING 2.x, this new version is completely transparent to the applications as it is accessed via the enhanced libpcap that depending on the host configuration, transparently selects the best option available. This means that applications can be coded once; the rest of the work is done by the enhanced libpcap.
| 