Back in my college days, Packet sniffing on Ethernet LAN
was suppose to be the easiest task in programming, using
socket domain as PF_PACKET. Unfortunately, This old simple
trick is of no use when we are dealing with heavy traffic.
To capture packets in promiscuous mode on
gigabit, Surely, this was impossible to achieve using
lame LPF methods. While googling, I seen some advance
research and implementation done by ntop's Luca Deri. His project PF_RING
for enhancing packet capturing is really good. The good
points about his project is...
1) Implementing hook on netif_rx, netif_receive_skb and
dev_queue_xmit to copy the packet to mmap'ed space.
2) Use of mmap to directly access userspace memory. Although
several Projects out there using mmap.
3) Keeping the records of each packet, dropped or received.
With the introduction of NAPI support in 2.6.x kernel, It
looks quite achievable to capture packets on gigabit speed.
Pooling defiantly helpful in reducing kernel interrupt load
in heavy traffic. To understand the implementation I studied
my 3com Lan card driver.
The technique is to disable interrupt on the first packet
arrival and switch to the pooling mode. After processing all
the packets, re-enable interrupt (quite smart).
For the sake of
understanding the concept and working, I modified the source
code or PF_RING module and removed outgoing packet capturing
routine from both kernel core and ring modules. It further
improves the the performance but still it's wasting a lot of
time in bookkeeping packets information.
Another
project by Luca is
nCap, which offers 100% packet capturing facility and
will be the next project which I'll study.