Research And Implementation On Linux Packets Capturing Of Gigabit Network

Passive packet capture is widely used in network security, especially in IDS (Intrusion Detection System) and firewall. Many IDS system, such as tcpdump, ethereal and snort, use this mechanism. Nowadays, many application layer services, like P2P and VoIP, become popular on the web, which overload the internet. Traditional packet capture architecture is no longer efficient in Gigabit Network, it lost most of the packets when flooded by high speed data transfer. There are various reasons for this, CPU frequency and the packet handling mechanism in Operating System are thought to be the most important problem.In order to solve the problem, new techniques such as "NAPI", "device polling" and "zero-copy" are designed. Zero-copy is already applied in Router, Firewall and IDS system, but you have to modify the drivers of the NIC(network interface card) in order that the user space applications make direct access to the memory in kernel space. This is not convenient when transplanting the technique to a new hardware or operating system.Based on zero-copy, Luca Deri brought out a new architecture named " PF_RING ". In this new architecture, NIC driver modifying is no longer needed.In kernel space, ally with NAPI, a newly designed packet buffer is deployed, and the NIC interrupt response is improved too. While in user space, packets received from the NIC are directly transferred to application processes by memory re-mapping ("mmap"). " PF_RING " is designed for PC, it is a high performance solution for high speed packet capture. It has various interfaces, and it can be used in various systems without much rework.Our work is based on the "PF_RING" architecture, it's as follows:First of all, we deep into the principles of "PF_RING", and apply it in our own network environment as a kernel module, there are several steps of this application: "loading and unloading kernel module", "registering PF_RING protocols", "initialization of ring cache", "add skb to ring cache" and so on. then we concentrate on the interface to libpcap library, and implement the PF_RING architecture by encapsulating it into the libpcap. we have tested it's performance and analyzed the result.Finally, we implement the PF RING architecture into Embedded System (PowerPC 8540), in order to make further research on Gigabit network Firewall and IDS system.