Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit for more information.


From Aanval Wiki
Jump to: navigation, search

High-speed packet capture, filtering, and analysis.

In simple terms, PF_RING allows packets on a single interface to be segmented across multiple threads/cores, allowing for more efficient packet processing. Packets are inspected at a much lower level than traditional packet sniffers/engines, therefore reducing resource cost and increasing overall efficiency.

What is PF_RING?

PF_RING is an alternative network socket that dramatically improves packet capture speed characterized by the following properties:

  1. Available for Linux kernels 2.6.18 and newer.
  2. As of version 4.X, PF_RING can be used with vanilla kernels (i.e. no kernel patch required).
  3. PF_RING-aware drivers for increased packet capture acceleration.
  4. 10 Gbit Hardware Packet Filtering using commodity network adapters.
  5. User-space DNA (Direct NIC Access) drivers for extreme packet capture/transmission speed as the NIC NPU (Network Process Unit) is pushing/getting packets to/from userland without any kernel intervention. Using the 10Gbit DNA driver you can send/receive at wire-speed at any packet sizes.
  6. Libzero for DNA for distributing packets in zero-copy across threads and applications.
  7. Device driver independent.
  8. Kernel-based packet capture and sampling.
  9. Libpcap support for seamless integration with existing pcap-based applications.
  10. Ability to specify hundreds of header filters in addition to BPF.
  11. Content inspection, so that only packets matching the payload filter are passed.
  12. PF_RING plugins for advanced packet parsing and content filtering.
  13. Ability to work in transparent mode (i.e. the packets are also forwarded to upperlinks so existing applications will work as usual).

Is PF_RING compatible with Aanval?

PF_RING is external to Aanval, so the answer to this question is yes. We have many customers around the globe utilizing PF_RING to perform high speed packet analysis with both Snort and Suricata.

Why use PF_RING?

If your network is anything more than approaching 100MB line rate, then you are in need of a high speed packet filter.

From the ntop website, a further description as to who may necessarily need PF_RING:

"The term ‘many’ changes according to the hardware you use for traffic analysis. It can range from 80k pkt/sec on a 1,2GHz ARM to 14M pkt/sec and above on a low-end 2,5GHz Xeon. PF_RING not only enables you to capture packets faster, it also captures packets more efficiently preserving CPU cycles."

See Also

External Links