[Oisf-users] af_packet vs pfring
Chris Wakelin
c.d.wakelin at reading.ac.uk
Sun Jul 28 11:22:49 UTC 2013
On 28/07/13 01:23, Cooper F. Nelson wrote:
> AF_PACKET + mmap mode is pretty much the same thing as pf_ring.
More or less true for the "vanilla" PF_RING
> I thought pf_ring was proprietary or licensed in some way, but I may be
> wrong about that.
"vanilla" PF_RING is open-source. There are proprietary extensions to it
- "DNA" drivers and "libzero for DNA" that are sold for a small amount.
However, universities can probably have them for free if they ask nicely
(as we did :-) )
DNA makes packet capture faster but only one application can access the
packets. DNA + libzero enables multiple applications to see the packets
in a "zero-copy" mode (for extra speed). See
http://www.ntop.org/products/pf_ring/dna/ and
http://www.ntop.org/products/pf_ring/libzero-for-dna/ for details.
> In my setup, it appears AF_PACKET mode will truncate packets unless all
> offloading features of the NIC are disabled.
Probably true of PF_RING too.
> See this blog post for more details: >
> http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
>
> I use AF_PACKET for suricata and libpcap for everything else on the same
> box, no problems yet.
>
> -Coop
>
We're using PF_RING + DNA + libzero and running Suricata + Bro + Argus.
I had a look at AF_PACKET a few months ago, but couldn't get it to work
without dropping packets. I also was under the impression it wouldn't
allow multiple applications to see the traffic, but from what Cooper
just said, it seems I was wrong!
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-users
mailing list