Re: network monitoring and pf_ring?

On Wed, 24 Jan 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <MpqdnRPcCP1GcirYnZ2dnUVZ_s6dnZ2d@xxxxxxxxxxx>, A wrote:

A couple of years ago I setup a box to perform network monitoring.
Somewhere in my readings on the subject I remember coming across a thing
called "pf_ring" which I believe was a kernel patch which would allow
for fewer dropped packets on a high bandwidth link.

When in doubt, your first stop should be any standard search engine.

Web Results 1 - 10 of about 14,700 for pf_ring. (0.29 seconds)

ntop - network top
PF_RING is a new type of network socket that dramatically improves the
packet ... PF_RING not only enables you to capture packets faster, it
also captures ...
www.ntop.org/PF_RING.html - 5k - Cached - Similar pages SourceForge.net:
Files
You have selected to download PF_RING Below is a list of releases and
files contained in this package. Before downloading, you may want to
read the Release ...
sourceforge.net/project/showfiles. php?group_id=17233&package_id=110128
- 20k - Cached - Similar pages RE: [Ntop-misc] PF_RING stuck

but you may want to look at some of the other pages below this on the
results list.

Is this still best practice or is this no longer necessary? If I just
use plain old libpcap is this adequate or are there some other advanced
methods of avoiding packet loss?

Well, obviously, a lot is going to depend on your situation. How fast is
your network? 10 Megabit? 100? Gigabit? How big are the packets on
the wire? How big is the buffer on the NIC? How much traffic is on the
wire? How fast is your computer? What _else_ is it doing? (Running a
bloated GUI on the sniffer box probably isn't the best idea ever.) You
can get a quick measure by running tcpdump and looking to see how many
packets it reports dropping. Or you could kick the NIC into promiscuous
mode (man ifconfig) and then monitor the stats in the ifconfig output.

Old guy
.

Relevant Pages

  • Re: Ethernet issue: works one way but not another
    ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ...
    (freebsd-questions)
  • Re: Update: UDP 770 Potential Worm
    ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ...
    (Incidents)
  • Re: IDSIPS that can handle one Gig
    ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • RE: Mapping Class A network ( any easy trick?)
    ... and wondering how I can map the network ... packets per second rate to ask for. ... This will read the payloads.conf file which may have multiple payloads ... per port. ...
    (Pen-Test)