PF_RING is a Linux kernel module and user-space framework that allows you to process packets at high-rates while providing you a consistent API for packet processing applications.
Basically everyone who has to handle many packets per second. The term ‘many’ changes according to the hardware you use for traffic analysis.
It can range from 80k pkt/sec on a 1,2GHz ARM to 15M pkt/sec and above per core on a low-end 2,5GHz Xeon. It not only enables you to capture packets faster, it also captures packets more efficiently preserving CPU cycles.
Also Read : nDPI : Open Source Deep Packet Inspection Software Toolkit
Installing from GIT
It can be downloaded in source format from GIT at https://github.com/ntop/PF_RING/ or installed from packages using our repositories at http://packages.ntop.org as described in the Installing From Packages section. In this chapter we cover the installation from source code.
Clone our repository to download the PF_RING source code:
git clone https://github.com/ntop/PF_RING.git
The PF_RING source code includes:
Kernel Module Installation
In order to compile it kernel module you need to have the linux kernel headers (or kernel source) installed.
cd PF_RING/kernel
make
sudo make install
Running PF_RING
Before using any the application, the pf_ring kernel module should be loaded:
cd PF_RING/kernel
sudo insmod ./pf_ring.ko [min_num_slots=N] [enable_tx_capture=1|0] [ enable_ip_defrag=1|0]
Where:
min_num_slots
Minimum number of packets the kernel module should be able to enqueue (default – 4096).
enable_tx_capture
Set to 1 to capture outgoing packets, set to 0 to disable capture outgoing packets (default – RX+TX).
enable_ip_defrag
Set to 1 to enable IP defragmentation, only RX traffic is defragmented (default – disabled)
Example:
cd PF_RING/kernel
sudo insmod pf_ring.ko min_num_slots=65536 enable_tx_capture=0
Drivers
If you want to achieve line-rate packet capture at 10 Gigabit and above on Intel adapters, you should use ZC drivers. You can check the driver family using ethtool:
ethtool -i eth1 | grep driver
driver: ixgbe
and load the corresponding driver using the load_driver.sh script in the driver folder:
cd PF_RING/drivers/intel
make
cd ixgbe/ixgbe-*-zc/src
sudo ./load_driver.sh
Libpfring and Libpcap Installation
Both libpfring and libpcap are distributed in source format. They can be compiled and installed as follows:
cd PF_RING/userland/lib
./configure && make
sudo make install
cd ../libpcap
./configure && make
sudo make install
Note that legacy statically-linked pcap-based applications need to be recompiled against the new PF_RING-enabled libpcap.a in order to take advantage of it. Do not expect to use it without recompiling your existing application in this case.
When people ask how UDP works, the simplest answer is this: UDP sends data quickly…
Endpoint Detection and Response (EDR) solutions have become a cornerstone of modern cybersecurity, designed to…
A large-scale malware campaign leveraging AI-assisted development techniques has been uncovered, revealing how attackers are…
How Does a Firewall Work Step by Step? What Is a Firewall and How Does…
People trying to securely connect to work are being tricked into doing the exact opposite.…
A newly disclosed Android vulnerability is making noise for a good reason. Researchers showed that…