ZC works in zero-copy (no packet copy), thus capturing the whole packet or just a snaplen does not affect performance.
Alfredo > On 19 Dec 2014, at 17:57, Pavel Odintsov <[email protected]> wrote: > > Thank you for your help, Alfredo! I integrated ZC support via native > ZC API and everything works nice. > > But I can't find any analogue for snaplen in ZC API. I need only > packet headers for processing. Can I do it with ZC API? > > On Sat, Oct 25, 2014 at 5:37 PM, Alfredo Cardigliano > <[email protected]> wrote: >> Hi Pavel >> for 10 Gbit line-rate you definitely need ZC, you can use hw RSS for >> spreading load across multiple instances of your application or custom >> software distribution (using for instance zbalance_ipc). >> >> For packet parsing you can use pfring_parse_pkt(), according to what you >> need you should call: >> pfring_parse_pkt(pkt /* u_char* */, &hdr /* struct pfring_pkthdr* */, 3 /* >> up to L3 */, 0 /* no timestamp */, 0 /* no hash */); >> >> Alfredo >> >>> On 23 Oct 2014, at 20:00, Pavel Odintsov <[email protected]> wrote: >>> >>> Hello, folks! >>> >>> I'm working on OSS solution for DDoS detection >>> (https://github.com/FastVPSEestiOu/fastnetmon) and passed through hard >>> way of: pcap, ulog2, pf_ring. >>> >>> I'm really amazed PF_RING and I can analyze streams up to 2 million >>> packets per second on really slow hw (i7 2600 with Intel 82599). >>> >>> But my final target - provide monitoring ability on wire rate 10GBps >>> and 14Mpps. I tried to use plain pf_ring, multichannel pf_ring and >>> start thinking about ZC.... >>> >>> Maybe somebody can recommend best and fastest approach for my task? I >>> need small amount of packet headers (src/dst ip, src/dst port, >>> protocol). For extracting data I surely need some sort of packets >>> parser. >>> >>> Fastest solution which I did now is multichannel pf_ring with 8 >>> threads for collection data. But I can process only up to 2-3 MPPS and >>> after this I got completely overloaded system: >>> https://www.dropbox.com/s/m2ywqgwul8ka7ww/htoppng.png?dl=0 >>> >>> Is it possible to process more packets on non-zc PF_RING or I should >>> go to ZC mode? :( >>> >>> -- >>> Sincerely yours, Pavel Odintsov >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > -- > Sincerely yours, Pavel Odintsov > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
