I'm looking at the packetbeat document, and it declares af_packet has better performance than pcap.
Do we have any number regarding this performance difference?
As far as I know libpcap has leveraged af_packet in Linux. I thought they should have similar performance before.
pcap, which uses the libpcap library and works on most platforms, but it’s not the fastest option. af__packet, which uses memory mapped sniffing. This option is faster than libpcap and doesn’t require a kernel module, but it’s Linux-specific
we don't have numbers and mileage might vary. Normally the performance difference is recognizable by packet loss.
But the libpcap based approach does add quite some overhead, as libpcap provides a callback based interface per packet, might enforce additional copies and most important, libpcap requires the CGO interface adding a function calling overhead per packet. af_packet on the other hand is plain GO directly accessing the in shared memory (shared with kernel) + buffer sizes are somewhat tunable.
And the buffer can be configured in libpcap too (pcap_set_buffer_size).
Right. I have had packetbeat configuration itself in mind. In packetbeat config file you can configure the buffer size for af_packet only.
Regarding the additional copies, it depends on how we use it.
pcap_loop does't require additional memory copy.
packetbeat uses go-packet, which is not using pcap_loop, but pcap_next_ex. The mmap callback requires a memcpy to copy the packet it's content into some temporary buffer.
In addition the sniffer in packetbeat uses ReadPacketData, which also copies the packet once again (required to hold on e.g. unordered TCP packets). That is af_packet will copy the packet once, but using pcap will copy the packet twice (no matter if SOCK_RAW or SOCK_PACKET will be used).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.