[Oisf-users] af_packet vs pfring

Chris Wakelin c.d.wakelin at reading.ac.uk
Sun Jul 28 11:22:49 UTC 2013

On 28/07/13 01:23, Cooper F. Nelson wrote:
> AF_PACKET + mmap mode is pretty much the same thing as pf_ring.

More or less true for the "vanilla" PF_RING

> I thought pf_ring was proprietary or licensed in some way, but I may be
> wrong about that.

"vanilla" PF_RING is open-source. There are proprietary extensions to it
- "DNA" drivers and "libzero for DNA" that are sold for a small amount.
However, universities can probably have them for free if they ask nicely
(as we did :-) )

DNA makes packet capture faster but only one application can access the
packets. DNA + libzero enables multiple applications to see the packets
in a "zero-copy" mode (for extra speed). See
http://www.ntop.org/products/pf_ring/dna/ and
http://www.ntop.org/products/pf_ring/libzero-for-dna/ for details.

> In my setup, it appears AF_PACKET mode will truncate packets unless all
> offloading features of the NIC are disabled.

Probably true of PF_RING too.

> See this blog post for more details: >
> http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
> I use AF_PACKET for suricata and libpcap for everything else on the same
> box, no problems yet.
> -Coop

We're using PF_RING + DNA + libzero and running Suricata + Bro + Argus.
I had a look at AF_PACKET a few months ago, but couldn't get it to work
without dropping packets. I also was under the impression it wouldn't
allow multiple applications to see the traffic, but from what Cooper
just said, it seems I was wrong!

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-users mailing list