Pf_ring Study In The High-speed Acquisition Of Network Flow

Network stream capturing means capturing protocol data unit under data link layer through technical means.Network-stream-capturing-related techniques include network interface card (NIC) programming, interruption management, device polling management, direct memory access (DMA), and so on.There are some problems in traditional network stream capturing techniques, including low capturing efficiency, high CPU utilization. Redundant data copy under traditional network stream capturing mode, when the captured packets are transimitted from the networkcard to user space applications, is a kind of reason of the above problems. In high-speed network, especially under the condition of high traffic and short packets, frequent interruptions to the network card will make the system get into a state of interrupted livelock. To adapt to the development of high-speed network and the requirement of high-speed network capturing, zero-copy, device polling and other mechanisms are presented. PF_RING is a new kind of zero-copy solution which provides a method to improve the performance of network stream capturing and donnot need to modify the NIC driver. Device polling mechanism is realized in the mode of NAPI under linux. NAPI is a technology that can improve network process efficiency. The main idea of NAPI is to introduce device polling instead of interruption. Because of many advantages, PF_RING has gradually become the main thecnique in current high-speed network environment.The thesis analyses the PF_RING principle and realization in depth, and points out the advantages and disadvantages of PF_RING mechanism. Based on PF_RING, it realized a new universal interface for developers to program with. PF_RING mechanism is successfully applied to Gigabit Intrusion Detection System, and it successfully enhanced the overall system performance.The main contens includes:(1) Analysis of the PF_RING realization in depth, it mainly includes PF_RING socket architecture and realization, realization of socket in linux kernel, PF_RING key data structures and funtions, and the PF_RING application interfaces:libpfring and libpcap-ring.(2) The thesis constructed a universal interface for developers to make fast development. In that way, it improved memory management and memory allocation. Improved PF_RING gives flexibility for users to add user-customized funtions to solve specific problems.(3) PF_RING mechanism together with NAPI is introduced into GIDS's data capturing module. The author does some tests about network stream capturing based on PF_RING+NAPI mechanism, and gives out the theoretical analysis.(4) Implement the sensitive word matchment based on PF_PING. It satisfies the request in state security department for its advantages.