Packet capturing in high-speed networks is not an easy task due to the system limitations like RAM and system bus throughput. Unfortunately, at high line-rate speeds, it is often impossible to capture every packet arriving at a network interface. Hardware may not be the only bottleneck, however, as inefficient software is also to blame for poor resources usage and resulting packet loss during capture. Within the context of this project the new software components will be developed in order to improve the performance of packet capturing in FreeBSD.

Project Goal

Implementation the new software components for efficient packet capturing at 1Gb and 10Gb. The new software should make it possible to minimize packet loss and CPU load during packet capture. These software components have to be realized as the new ringmap FreeBSD packet capturing stack and have to be based on:

Also the system calls have to be implemented in order to control the sniffing process. The new implemented software must be transparent for user-space applications. Namely, each application that uses libpcap for packet capturing shouldn't require modification in order to run with the new ringmap network driver and new modified libpcap.


Packet capturing stack: the software used for capturing packets


Our goal, as mentioned above, is to enhance the packet capturing performance. To this aim, some issues from standard packet capturing software that can cause packet loss and high CPU load should be eliminated.

There are operations that are most expensive in terms of CPU cycles. Among others, these are:

All above listed functions are used in the standard packet capturing software. The memory buffers are allocated by the network driver for each packet received at the network interface. Then packets are filtered and one or more times copied within the RAM. The user-space process gets access to the received packets using system call, what results in a context switch and in an additional copy operation. These operations can cause high system load and packet loss while capturing at bit-rates close to 1Gb/sec or greater (see results chapter in the ''ringmap'' presentation).

The main idea for solving this problem is eliminating packet copy operations and system calls by using shared memory buffers and eliminating memory allocations by using ring buffers. Our solution is to map DMA packet-buffers into the space of user process. This allows user-space process to access the captured packets directly in its own address space without any additional overhead. Thus the user-space process has the access to all packets received from the network immediately.

Ringmap is also able to filter the packets by using BPF. The packet filtering can be accomplished by both kernel- and libpcap-BPF. If BPF is not compiled in kernel the libpcap-BPF is used automatically.

Supported Hardware

Work in Progress

Details and Results

See presentation

AlexandreFiveg/RingmapOverview (last edited 2010-11-12T10:10:03+0000 by AlexandreFiveg)