简体繁体 English

替代pcap（Linux）

[英]Alternative to pcap (Linux)

原文 2012-04-15 18:46:32 4 2 linux/ statistics/ pcap/ libpcap

On a Linux router I wrote a C-program which uses pcap to get the IP header, and length of the packet. 在Linux路由器上，我写了一个C程序，它使用pcap来获取IP头和数据包的长度。 In that way I am able to gather statistics and measure bandwidth based on IP. 通过这种方式，我可以收集统计数据并根据IP测量带宽。 Pretty neat. 很简约。 :-) :-)

Now the traffic and number of users has grown, and the old program starts to struggle. 现在流量和用户数量都在增长，旧程序开始变得困难。 That is, the router struggles to cope with the massive amount of packets. 也就是说，路由器很难应对大量的数据包。 It's over 50000 packets per second all in all in "prime time". 在“黄金时段”总共超过50000个包。

The program itself is pretty optimized. 该程序本身已经过优化。 I don't want to show off, but I believe it's as good as it can get. 我不想炫耀，但我相信它能够得到它的好处。 It reads the IP header, and the packet length. 它读取IP头和数据包长度。 It then converts the IP to a index (just a simple subtract), and the length of the packet is stored (accumulated) in an array. 然后它将IP转换为索引（只是一个简单的减法），并将数据包的长度存储（累积）在一个数组中。 Every now and then (actually a SIGALRM) it stores the array in a MySQL database. 它偶尔（实际上是一个SIGALRM）将数组存储在MySQL数据库中。

My question is: Is there any other way to tap into an ethernet device to get the bit-stream "cheaper" than pcap? 我的问题是：有没有其他方法可以利用以太网设备来获得比pcap“更便宜”的比特流？

I can of course modify the ethernet driver to include single IP statistics gathering, but that seems a little overkill. 我当然可以修改以太网驱动程序以包含单个IP统计信息收集，但这似乎有点矫枉过正。

Basically my program is a 'tcpdump' on a busy eth0 and that will eventually kill my router. 基本上我的程序是繁忙的eth0上的'tcpdump'，最终会杀死我的路由器。

2 个解决方案

Have you considered PF_RING ? 你考虑过PF_RING吗？ It's still the pcap -like world, but on steroids - thanks to the zero-copy mechanism: 它仍然是pcap的世界，但在类固醇上 - 得益于零拷贝机制：

在此输入图像描述

As you see, there is a kernel module that provides low-level packet copying into the PF_RING buffer, and there is the userland part that allows to access this buffer. 如您所见，有一个内核模块可以将低级别数据包复制到PF_RING缓冲区，并且有一个用户区部分允许访问此缓冲区。

Who needs PF_RING? 谁需要PF_RING？

Basically everyone who has to handle many packets per second. 基本上每个人每秒都要处理很多数据包。 The term 'many' changes according to the hardware you use for traffic analysis. “许多”一词根据您用于流量分析的硬件而变化。 It can range from 80k pkt/sec on a 1,2GHz ARM to 14M pkt/sec and above on a low-end 2,5GHz Xeon. 它可以在1,2GHz ARM上达到80k pkt / sec，在低端2,5GHz Xeon上达到14M pkt / sec以上。 PF_RING not only enables you to capture packets faster, it also captures packets more efficiently preserving CPU cycles.... PF_RING不仅可以让您更快地捕获数据包，还可以更有效地捕获数据包，从而保留CPU周期....

I highly recommend you to use PF_RING ZC. 我强烈建议您使用PF_RING ZC。 It could be found under /userland/examples_zc. 它可以在/ userland / examples_zc下找到。 it is part of pf_ring. 它是pf_ring的一部分。

you can handle and capture tens of Gbps traffics in line rate by pf_ring zc. 您可以通过pf_ring zc以线速处理和捕获数十Gbps流量。