memory mapped packet capturing - bpf replacement ?

Sergey Lyubka devnull at uptsoft.com
Mon Jun 14 09:47:39 GMT 2004 

Traffic analysis applications running on high-speed networks are
using BPF to capture packet. However, on heavy traffic frequent
context switches caused by read(2) from a BPF device is a overhead.

I implemented a prototype module that stores captured
 packets in user mmap-able area. I want to describe the prototype and
discuss benchmark results.

The module is a netgraph node, called ng_mmq. mmq stands for
memory-mapped queue. The node has one hook, called "input".
When this hook is connected,
	o memory buffer is allocated. size is controlled by the
	debug.mmq_size sysctl.
	o a device /dev/mmqX is created, where X is a node ID
	o /dev/mmqX is mmap-able by the user, mmap() returns an
	allocated buffer
	o when packet arrives on hook, it is copied to the buffer,
	which is actually a ringbuffer. The ringbuffer's head is
	advanced.
	o user spins until tail != head, which means new data arrived.
	Then it reads from ringbuffer, and advances the tail.
	o no mutexes are used

The code is at 

So this is the basic idea. I connected ng_mmq node to my rl0:
ethernet node via the ng_hub, and benchmarked it against the
pcap, using the same pcap callback function. Packet processing was
simulated by the delay() function that just takes some CPU cycles.
What I have found is:
	1. bpf seems to be faster, i.e. it drops less packets than mmq
	2. mmq seems to capture more packets.

This is sample output from the benchmark utility:
# ./benchmark rl0 /dev/mmq5 1000
pcap: rcvd: 15061, dropped: 14047, seen: 1000
mmq: rcvd: 23172, dropped: 21789, seen: 1000

Now, the questions:
	1. is my interpretation of benchmark results correct?
	2. if they are correct, why bpf is faster?
	3. is it OK to have no mutexes for ringbuffer operations ?

The ng_mmq code, as well as the benchmark code, are at
http://oasis.uptsoft.com/~devnull/ng_mmq/

Setup instructions are at 
http://oasis.uptsoft.com/~devnull/ng_mmq/README


-- 
Sergey Lyubka, Network Security Consultant
NetFort Technologies Ltd, Galway, Ireland

More information about the freebsd-hackers mailing list