brief introduction

At present, most scenarios need high-speed traffic processing , It's basically using DPDK Speed up packet processing ,DPDK Although it is open source and free , however DPDK Provided API It's simple , Development is very complex , Time consuming , Application difficulties , So many people started looking for alternatives – Siphonaceae PF_RING ZC.

Discuss differences in detail

DPDK

If you are an experienced developer （ I'm sorry ,DPDK API It's simple ）, You need to write your application from scratch , You can use all DPDK API Call to allocate / Manage packets , And you must know what you are using NIC.

for instance ： If you use Intel X710/XL710, It is the current flagship of Intel 10/40 Gbit Adapter . When you enable Jumbo frames ,NIC Will return 2K Long RX Data packets （ therefore , If you have an entrance 5k Data packets , You will receive some 2 x 2K Buffer and the rest 1k buffer ）, If you want to send a packet , Then the size is 9K（ So you need to send 1x8K Partial buffers and the rest of the following buffers ）. Essentially , Developers must know this , Be prepared to handle these issues with an application , And make sure that when you move to another... That doesn't work this way NIC（ for example Intel X520/X540） when , You can handle Jumbo frames .

PF_RING ZC

contrary , stay PF_RING ZC in , Library basis MTU Allocating memory buffers , No matter what network card you use , Libraries will always return complete packets （ That is, all these packet segments in the buffer are not exposed to users who will always use them , The only thing a developer has to do is make sure his application can handle huge packets . Use PF_RING ZC API, Developers don't have to remember NIC Hardware details for , No need to change one line of code 、 Simply change the device name from ：

-i eth1

Change to

 -i zc:eth13

The application can be transferred on different hardware devices .

Compare

1. ZC A small license fee is required ,DPDK It's free. ,;
2. DPDK And ZC The performance is basically the same ;
3. ZC Provide an easy-to-use application layer API, The development difficulty is far less than DPDK;

PF_RING ZC Provided API

PF_RINGZC With a simple API, Ability to create a complex application with a few lines of code . The following example shows how to use 6 Line of code creates an aggregator + Load balancer applications .

PF_RING ZC Speed up Zeek

Zeek Is an open source network traffic analyzer . Many users will Zeek Used as a network security monitor （NSM）, To support the investigation of suspicious or malicious activities .Zeek It also supports various traffic analysis tasks outside the security field , Including performance evaluation and troubleshooting . Use PF_RING ZC（zero copy） The driver enables extremely high packet capture / transmission speed , A great promotion Zeek Traffic handling capacity .

Use a PF_RING Of Suricata

Suricata It's a free one 、 Open source 、 mature 、 Fast 、 Robust network threat detection engine .Suricata The engine can carry out real-time intrusion detection (IDS)、 Inline Intrusion Prevention (IPS)、 Network security monitoring (NSM) And offline pcap Handle .Suricata Use powerful and extensive rules and signature languages to check network traffic , It's widely used . Use PF_RING ZC So you can now IDS and IPS High speed use in mode Suricata.

Snort High speed data acquisition

Many users can also use Snort（ The most popular IDS/IPS One of ）, And is currently benefiting from PF_RING ZC The speed of . Use PF_RING ZC （Snort Data collection ） Cooper's standard PF_RING Speed up 20% To 50% , It can be IPS and IDS Run in mode .