PF_PACKET introduction
This is access to raw packet inside Linux. It is used by libpcap and by other projects like Suricata.
PF_PACKET performance can be improved via dedicated features:
- Zero-copy RX/TX
- Socket clustering
- Linux socket filtering (BPF)
BPF architecture looks like a small virtual machine with register and memory stores. It has different instructions and the kernel has its own kernel extensions to access to cpu number, vlan tag.
Netsniff-NG
Netsniff-ng is a set of minimal tools:
- netsniff-ng, a high-performance zero-copy analyzer, pcap capturing and replaying tool
- trafgen, a high-performance zero-copy network traffic generator
- mausezahn, a packet generator and analyzer for HW/SW appliances with a Cisco-CLI
- bpfc, a Berkeley Packet Filter (BPF) compiler with Linux extensions
- ifpps, a top-like kernel networking and system statistics tool
- flowtop, a top-like netfilter connection tracking tool
- curvetun, a lightweight multiuser IP tunnel based on elliptic curve cryptography
- astraceroute, an autonomous system (AS) trace route utility
netsniff-ng can be used to capture with advanced option like using a dedicated CPU or using a BPF filter compiled via bpfc instead of a tcpdump like expression.
trafgen can used to generate high speed traffic, using multiple CPUs, and complex configuration/setup even including fuzzing.
A description of the packet can be given where each element is built using different functions.
It can even be combined with tc (for example netem to simulate specific network condition).
The future include to find a way to utilize multicore efficiently with packet_fanout and disk writing.