As we know it, ntop is a tool for monitoring network traffic. Using ntop to display network usage is more intuitive and detailed than other network management software. ntop can even list the network bandwidth utilization of each node computer. At the same time, ntop is also a company that has focused on software network monitoring solutions for more than 10 years. ntop provides a variety of tools such as traffic capture, traffic recording, network probes and traffic analysis. These tools can be used alone or in conjunction to form different solutions. . Hongke and ntop have reached a cooperation, the exclusive agent of their products and provide corresponding technical support in China. PF_RING is a new type of network socket, which can significantly increase the speed of packet capture.
Vanilla PF_RING™
PF_RING polls data packets from the NIC through Linux NAPI. This means that NAPI copies the packet from the NIC to the PF_RING circular buffer, and then the userland application reads the packet from the ring. In this case, there are two polling programs, namely the application and NAPI, which results in CPU cycles for this polling. The advantage is that PF_RING can distribute incoming data packets to multiple rings at the same time (so there are multiple applications).
PF_RING module
PF_RING™ has a modular architecture and can use components other than the standard PF_RING™ core module. Currently, other module sets include:
- ZC module
Check the ZC page for more information. - FPGA-based board modules
These modules increase the support for many vendors, including Accolade, Exablaze, Napatech, Netcope... - Stack module
This module can be used to inject data packets into the Linux network stack. - Time axis module
This module can be used to seamlessly extract traffic from n2disk dump set using PF_RING™ API. - Sysdig module
This module uses the sysdig kernel module to capture system events.
PF_RING ZC (zero copy)
PF_RING™ZC (Zero Copy) is a flexible packet processing framework that allows you to achieve 1/10 Gbit wire-speed packet processing (RX and TX) at any packet size. It implements zero copy operations, including modes for inter-process and inter-VM (KVM) communication. It can be regarded as the successor to DNA/LibZero, which provides a single and consistent API based on the lessons learned over the past few years. It has a clean and flexible API that implements simple building blocks (queues, workers, and pools) that can be used from threads, applications, and virtual machines . This can realize 10 Gbit wire-speed data packet processing.
For those users who need the maximum packet capture speed and 0% CPU utilization to copy the packets to the host (ie, do not use the NAPI polling mechanism) , you can use ZC (also known as the new generation of DNA ) The driver is obtained directly from the network interface by bypassing the Linux kernel and the PF_RING module at the same time in a zero-copy manner.
Note: PF_RING ZC is not free to use, you must purchase the corresponding license
PF_RING FT (flow table)
Most network monitoring and security applications are based on stream processing, including packet capture, decoding, and classification. PF_RING™ is a flexible framework that can be used to speed up packet capture, using the PF_RING™ ZC driver or dedicated adapter, and extract packet metadata. This allows the application to focus on packet processing instead of processing packet capture and packet parsing, while running at peak performance.
PF_RING™FT goes one step further, it assists any stream processing application in packet classification activities. PF_RING™FT implements a flow table that can be used to track flows and provides many hooks so that it can be customized and extended to build any type of application on it, including probes, IDS, IPS, L7 firewalls.
PF_RING™FT is highly optimized and can use a single CPU core to process 10 Gbit line speed on low-end Xeon E3 and expand to 100 Gbit on multi-core systems. The following table shows the results of performance testing using the following items:
Who needs PF_RING
Basically everyone must process many packets per second. The "many" here varies depending on the hardware you use for traffic analysis. It can range from 80k pkt/sec on 1.2GHz ARM to 14M pkt/sec on low-end 2.5GHz Xeon, and even higher. PF_RING™ not only allows you to capture packets faster, but also capture packets more efficiently, thereby saving CPU cycles. Here are some data, you can see how fast nProbe (NetFlow v5 / v9 probe) can run with PF_RING™, or take a look at the table below.
1Gbit test using Core2Duo 1.86 GHz, Ubuntu Server 9.10 (kernel 2.6.31-14) and IXIA 400 traffic generator with line-rate (64-byte packets, 1.48 Mpps) injecting traffic:
Get product details
contact us
