Back in my college days, Packet sniffing on Ethernet LAN
was suppose to be the easiest task in programming, using
socket domain as PF_PACKET. Unfortunately, This old simple
trick is of no use when we are dealing with heavy traffic.
To capture packets in promiscuous mode on
gigabit, Surely, this was impossible to achieve using
lame LPF methods. While googling, I seen some advance
research and implementation done by ntop's Luca Deri. His project PF_RING
for enhancing packet capturing is really good. The good
points about his project is...
1) Implementing hook on netif_rx, netif_receive_skb and
dev_queue_xmit to copy the packet to mmap'ed space.
2) Use of mmap to directly access userspace memory. Although several Projects out there using mmap.
3) Keeping the records of each packet, dropped or received.
With the introduction of NAPI support in 2.6.x kernel, It looks quite achievable to capture packets on gigabit speed. Pooling defiantly helpful in reducing kernel interrupt load in heavy traffic. To understand the implementation I studied my 3com Lan card driver. The technique is to disable interrupt on the first packet arrival and switch to the pooling mode. After processing all the packets, re-enable interrupt (quite smart).
For the sake of understanding the concept and working, I modified the source code or PF_RING module and removed outgoing packet capturing routine from both kernel core and ring modules. It further improves the the performance but still it's wasting a lot of time in bookkeeping packets information.
Another project by Luca is nCap, which offers 100% packet capturing facility and will be the next project which I'll study.