Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.
Visit for more information.
PF_RING
High-speed packet capture, filtering, and analysis.
In simple terms, PF_RING allows packets on a single interface to be segmented across multiple threads/cores, allowing for more efficient packet processing. Packets are inspected at a much lower level than traditional packet sniffers/engines, therefore reducing resource cost and increasing overall efficiency.
Contents
What is PF_RING?
PF_RING is an alternative network socket that dramatically improves packet capture speed characterized by the following properties:
- Available for Linux kernels 2.6.18 and newer.
- As of version 4.X, PF_RING can be used with vanilla kernels (i.e. no kernel patch required).
- PF_RING-aware drivers for increased packet capture acceleration.
- 10 Gbit Hardware Packet Filtering using commodity network adapters.
- User-space DNA (Direct NIC Access) drivers for extreme packet capture/transmission speed as the NIC NPU (Network Process Unit) is pushing/getting packets to/from userland without any kernel intervention. Using the 10Gbit DNA driver you can send/receive at wire-speed at any packet sizes.
- Libzero for DNA for distributing packets in zero-copy across threads and applications.
- Device driver independent.
- Kernel-based packet capture and sampling.
- Libpcap support for seamless integration with existing pcap-based applications.
- Ability to specify hundreds of header filters in addition to BPF.
- Content inspection, so that only packets matching the payload filter are passed.
- PF_RING plugins for advanced packet parsing and content filtering.
- Ability to work in transparent mode (i.e. the packets are also forwarded to upperlinks so existing applications will work as usual).
Is PF_RING compatible with Aanval?
PF_RING is external to Aanval, so the answer to this question is yes. We have many customers around the globe utilizing PF_RING to perform high speed packet analysis with both Snort and Suricata.
Why use PF_RING?
If your network is anything more than approaching 100MB line rate, then you are in need of a high speed packet filter.
From the ntop website, a further description as to who may necessarily need PF_RING:
"The term ‘many’ changes according to the hardware you use for traffic analysis. It can range from 80k pkt/sec on a 1,2GHz ARM to 14M pkt/sec and above on a low-end 2,5GHz Xeon. PF_RING not only enables you to capture packets faster, it also captures packets more efficiently preserving CPU cycles."