PF_RING : High-Speed Packet Processing Framework

PF_RING is a Linux kernel module and user-space framework that allows you to process packets at high-rates while providing you a consistent API for packet processing applications.

Basically everyone who has to handle many packets per second. The term ‘many’ changes according to the hardware you use for traffic analysis.

It can range from 80k pkt/sec on a 1,2GHz ARM to 15M pkt/sec and above per core on a low-end 2,5GHz Xeon. It not only enables you to capture packets faster, it also captures packets more efficiently preserving CPU cycles.

Also Read : nDPI : Open Source Deep Packet Inspection Software Toolkit

Installing from GIT

It can be downloaded in source format from GIT at https://github.com/ntop/PF_RING/ or installed from packages using our repositories at http://packages.ntop.org as described in the Installing From Packages section. In this chapter we cover the installation from source code.

Clone our repository to download the PF_RING source code:

git clone https://github.com/ntop/PF_RING.git

The PF_RING source code includes:

  • The user-space SDK.
  • An enhanced version of libpcap that transparently takes advantage of PF_RING.
  • The PF_RING kernel module.
  • PF_RING ZC drivers.

Kernel Module Installation

In order to compile it kernel module you need to have the linux kernel headers (or kernel source) installed.

cd PF_RING/kernel
make
sudo make install

Running PF_RING

Before using any the application, the pf_ring kernel module should be loaded:

cd PF_RING/kernel
sudo insmod ./pf_ring.ko [min_num_slots=N] [enable_tx_capture=1|0] [ enable_ip_defrag=1|0]

Where:

min_num_slots
Minimum number of packets the kernel module should be able to enqueue (default – 4096).
enable_tx_capture
Set to 1 to capture outgoing packets, set to 0 to disable capture outgoing packets (default – RX+TX).
enable_ip_defrag
Set to 1 to enable IP defragmentation, only RX traffic is defragmented (default – disabled)

Example:

cd PF_RING/kernel
sudo insmod pf_ring.ko min_num_slots=65536 enable_tx_capture=0

Drivers

If you want to achieve line-rate packet capture at 10 Gigabit and above on Intel adapters, you should use ZC drivers. You can check the driver family using ethtool:

ethtool -i eth1 | grep driver
driver: ixgbe

and load the corresponding driver using the load_driver.sh script in the driver folder:

cd PF_RING/drivers/intel
make
cd ixgbe/ixgbe-*-zc/src
sudo ./load_driver.sh

Libpfring and Libpcap Installation

Both libpfring and libpcap are distributed in source format. They can be compiled and installed as follows:

cd PF_RING/userland/lib
./configure && make
sudo make install
cd ../libpcap
./configure && make
sudo make install


Note that legacy statically-linked pcap-based applications need to be recompiled against the new PF_RING-enabled libpcap.a in order to take advantage of it. Do not expect to use it without recompiling your existing application in this case.

R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

12 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

12 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

3 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago