Packet Fan-Out Extension for the pcap Library

The large availability of multi–gigabit network cards for commodity PCs requires network applications to potentially cope with high volumes of traffic. However, computation intensive operations may not catch up with high traffic rates and need to be run in parallel over multiple processing cores. As of today, the vast majority of network applications—e.g., monitoring and IDS systems—are still based on the pcap library interface which, unfortunately, does not provide the native multi–core support, even though the current underlying capture technologies do. This paper introduces a novel version of the pcap library for the Linux operating system that enables transparent application level parallelism. The new library supports fan–out operations for both multi–threaded and multi–process applications, by means of extended API as well as by a declarative grammar for configuration files, suitable for legacy applications. In addition, the library can transparently run on top of the standard Linux socket as well as on other accelerated active engines. Performance evaluation has been carried out on a multi–core architecture in pure capture tests and in more realistic use cases involving monitoring applications such as Tstat and Bro , with standard Linux socket as well as PF_RING and PFQ accelerated engines.