Introduction
Packet capturing in high-speed networks is not an easy task due to the system limitations like RAM and system bus throughput. Unfortunately, at high line-rate speeds, it is often impossible to capture every packet arriving at a network interface. Hardware may not be the only bottleneck, however, as inefficient software is also to blame for poor resources usage and resulting packet loss during capture. Within the context of this project the new software components will be developed in order to improve the performance of packet capturing in FreeBSD.
Project Goal
Implementation the new software components for efficient packet capturing at 1Gb and 10Gb. The new software should make it possible to minimize packet loss and CPU load during packet capture. These software components have to be realized as the new ringmap FreeBSD packet capturing stack and have to be based on:
- generic network drivers:
libpcap
the new functions have to be developed for libpcap to accessing packets by using ringmap.
Also the system calls have to be implemented in order to control the sniffing process. The new implemented software must be transparent for user-space applications. Namely, each application that uses libpcap for packet capturing shouldn't require modification in order to run with the new ringmap network driver and new modified libpcap.
Definitions
Packet capturing stack: the software used for capturing packets
- Network adapter driver
- Software to analyze and filter received packets
- Software to access received packets from user-space
mostly based on libpcap library
Approach
Our goal, as mentioned above, is to enhance the packet capturing performance. To this aim, some issues from standard packet capturing software that can cause packet loss and high CPU load should be eliminated.
There are operations that are most expensive in terms of CPU cycles. Among others, these are:
- System calls
- Copy operations
- Memory allocations
All above listed functions are used in the standard packet capturing software. The memory buffers are allocated by the network driver for each packet received at the network interface. Then packets are filtered and one or more times copied within the RAM. The user-space process gets access to the received packets using system call, what results in a context switch and in an additional copy operation. These operations can cause high system load and packet loss while capturing at bit-rates close to 1Gb/sec or greater (see results chapter in the ''ringmap'' presentation).
The main idea for solving this problem is eliminating packet copy operations and system calls by using shared memory buffers and eliminating memory allocations by using ring buffers. Our solution is to map DMA packet-buffers into the space of user process. This allows user-space process to access the captured packets directly in its own address space without any additional overhead. Thus the user-space process has the access to all packets received from the network immediately.
Ringmap is also able to filter the packets by using BPF. The packet filtering can be accomplished by both kernel- and libpcap-BPF. If BPF is not compiled in kernel the libpcap-BPF is used automatically.
Supported Hardware
- Gigabit Ethernet adapters based on the following Intel controller chips:
8254x, 8257x, 8259x
Work in Progress
- Support for hardware timestamping
- Writing packets to the disc from within the kernel
- 10-GbE-Packet-Capturing:
- Multiqueue support
- Software extending to support hardware packet filtering
Extending ringmap for packet transmission