1-------------------------------------------------------------------------------- 2+ ABSTRACT 3-------------------------------------------------------------------------------- 4 5This file documents the mmap() facility available with the PACKET 6socket interface on 2.4 and 2.6 kernels. This type of sockets is used for 7capture network traffic with utilities like tcpdump or any other that needs 8raw access to network interface. 9 10You can find the latest version of this document at: 11 http://wiki.ipxwarzone.com/index.php5?title=Linux_packet_mmap 12 13Howto can be found at: 14 http://wiki.gnu-log.net (packet_mmap) 15 16Please send your comments to 17 Ulisses Alonso Camaró <uaca@i.hate.spam.alumni.uv.es> 18 Johann Baudy <johann.baudy@gnu-log.net> 19 20------------------------------------------------------------------------------- 21+ Why use PACKET_MMAP 22-------------------------------------------------------------------------------- 23 24In Linux 2.4/2.6 if PACKET_MMAP is not enabled, the capture process is very 25inefficient. It uses very limited buffers and requires one system call 26to capture each packet, it requires two if you want to get packet's 27timestamp (like libpcap always does). 28 29In the other hand PACKET_MMAP is very efficient. PACKET_MMAP provides a size 30configurable circular buffer mapped in user space that can be used to either 31send or receive packets. This way reading packets just needs to wait for them, 32most of the time there is no need to issue a single system call. Concerning 33transmission, multiple packets can be sent through one system call to get the 34highest bandwidth. 35By using a shared buffer between the kernel and the user also has the benefit 36of minimizing packet copies. 37 38It's fine to use PACKET_MMAP to improve the performance of the capture and 39transmission process, but it isn't everything. At least, if you are capturing 40at high speeds (this is relative to the cpu speed), you should check if the 41device driver of your network interface card supports some sort of interrupt 42load mitigation or (even better) if it supports NAPI, also make sure it is 43enabled. For transmission, check the MTU (Maximum Transmission Unit) used and 44supported by devices of your network. 45 46-------------------------------------------------------------------------------- 47+ How to use mmap() to improve capture process 48-------------------------------------------------------------------------------- 49 50From the user standpoint, you should use the higher level libpcap library, which 51is a de facto standard, portable across nearly all operating systems 52including Win32. 53 54Said that, at time of this writing, official libpcap 0.8.1 is out and doesn't include 55support for PACKET_MMAP, and also probably the libpcap included in your distribution. 56 57I'm aware of two implementations of PACKET_MMAP in libpcap: 58 59 http://wiki.ipxwarzone.com/ (by Simon Patarin, based on libpcap 0.6.2) 60 http://public.lanl.gov/cpw/ (by Phil Wood, based on lastest libpcap) 61 62The rest of this document is intended for people who want to understand 63the low level details or want to improve libpcap by including PACKET_MMAP 64support. 65 66-------------------------------------------------------------------------------- 67+ How to use mmap() directly to improve capture process 68-------------------------------------------------------------------------------- 69 70From the system calls stand point, the use of PACKET_MMAP involves 71the following process: 72 73 74[setup] socket() -------> creation of the capture socket 75 setsockopt() ---> allocation of the circular buffer (ring) 76 option: PACKET_RX_RING 77 mmap() ---------> mapping of the allocated buffer to the 78 user process 79 80[capture] poll() ---------> to wait for incoming packets 81 82[shutdown] close() --------> destruction of the capture socket and 83 deallocation of all associated 84 resources. 85 86 87socket creation and destruction is straight forward, and is done 88the same way with or without PACKET_MMAP: 89 90int fd; 91 92fd= socket(PF_PACKET, mode, htons(ETH_P_ALL)) 93 94where mode is SOCK_RAW for the raw interface were link level 95information can be captured or SOCK_DGRAM for the cooked 96interface where link level information capture is not 97supported and a link level pseudo-header is provided 98by the kernel. 99 100The destruction of the socket and all associated resources 101is done by a simple call to close(fd). 102 103Next I will describe PACKET_MMAP settings and its constraints, 104also the mapping of the circular buffer in the user process and 105the use of this buffer. 106 107-------------------------------------------------------------------------------- 108+ How to use mmap() directly to improve transmission process 109-------------------------------------------------------------------------------- 110Transmission process is similar to capture as shown below. 111 112[setup] socket() -------> creation of the transmission socket 113 setsockopt() ---> allocation of the circular buffer (ring) 114 option: PACKET_TX_RING 115 bind() ---------> bind transmission socket with a network interface 116 mmap() ---------> mapping of the allocated buffer to the 117 user process 118 119[transmission] poll() ---------> wait for free packets (optional) 120 send() ---------> send all packets that are set as ready in 121 the ring 122 The flag MSG_DONTWAIT can be used to return 123 before end of transfer. 124 125[shutdown] close() --------> destruction of the transmission socket and 126 deallocation of all associated resources. 127 128Binding the socket to your network interface is mandatory (with zero copy) to 129know the header size of frames used in the circular buffer. 130 131As capture, each frame contains two parts: 132 133 -------------------- 134| struct tpacket_hdr | Header. It contains the status of 135| | of this frame 136|--------------------| 137| data buffer | 138. . Data that will be sent over the network interface. 139. . 140 -------------------- 141 142 bind() associates the socket to your network interface thanks to 143 sll_ifindex parameter of struct sockaddr_ll. 144 145 Initialization example: 146 147 struct sockaddr_ll my_addr; 148 struct ifreq s_ifr; 149 ... 150 151 strncpy (s_ifr.ifr_name, "eth0", sizeof(s_ifr.ifr_name)); 152 153 /* get interface index of eth0 */ 154 ioctl(this->socket, SIOCGIFINDEX, &s_ifr); 155 156 /* fill sockaddr_ll struct to prepare binding */ 157 my_addr.sll_family = AF_PACKET; 158 my_addr.sll_protocol = htons(ETH_P_ALL); 159 my_addr.sll_ifindex = s_ifr.ifr_ifindex; 160 161 /* bind socket to eth0 */ 162 bind(this->socket, (struct sockaddr *)&my_addr, sizeof(struct sockaddr_ll)); 163 164 A complete tutorial is available at: http://wiki.gnu-log.net/ 165 166-------------------------------------------------------------------------------- 167+ PACKET_MMAP settings 168-------------------------------------------------------------------------------- 169 170 171To setup PACKET_MMAP from user level code is done with a call like 172 173 - Capture process 174 setsockopt(fd, SOL_PACKET, PACKET_RX_RING, (void *) &req, sizeof(req)) 175 - Transmission process 176 setsockopt(fd, SOL_PACKET, PACKET_TX_RING, (void *) &req, sizeof(req)) 177 178The most significant argument in the previous call is the req parameter, 179this parameter must to have the following structure: 180 181 struct tpacket_req 182 { 183 unsigned int tp_block_size; /* Minimal size of contiguous block */ 184 unsigned int tp_block_nr; /* Number of blocks */ 185 unsigned int tp_frame_size; /* Size of frame */ 186 unsigned int tp_frame_nr; /* Total number of frames */ 187 }; 188 189This structure is defined in /usr/include/linux/if_packet.h and establishes a 190circular buffer (ring) of unswappable memory. 191Being mapped in the capture process allows reading the captured frames and 192related meta-information like timestamps without requiring a system call. 193 194Frames are grouped in blocks. Each block is a physically contiguous 195region of memory and holds tp_block_size/tp_frame_size frames. The total number 196of blocks is tp_block_nr. Note that tp_frame_nr is a redundant parameter because 197 198 frames_per_block = tp_block_size/tp_frame_size 199 200indeed, packet_set_ring checks that the following condition is true 201 202 frames_per_block * tp_block_nr == tp_frame_nr 203 204 205Lets see an example, with the following values: 206 207 tp_block_size= 4096 208 tp_frame_size= 2048 209 tp_block_nr = 4 210 tp_frame_nr = 8 211 212we will get the following buffer structure: 213 214 block #1 block #2 215+---------+---------+ +---------+---------+ 216| frame 1 | frame 2 | | frame 3 | frame 4 | 217+---------+---------+ +---------+---------+ 218 219 block #3 block #4 220+---------+---------+ +---------+---------+ 221| frame 5 | frame 6 | | frame 7 | frame 8 | 222+---------+---------+ +---------+---------+ 223 224A frame can be of any size with the only condition it can fit in a block. A block 225can only hold an integer number of frames, or in other words, a frame cannot 226be spawned across two blocks, so there are some details you have to take into 227account when choosing the frame_size. See "Mapping and use of the circular 228buffer (ring)". 229 230 231-------------------------------------------------------------------------------- 232+ PACKET_MMAP setting constraints 233-------------------------------------------------------------------------------- 234 235In kernel versions prior to 2.4.26 (for the 2.4 branch) and 2.6.5 (2.6 branch), 236the PACKET_MMAP buffer could hold only 32768 frames in a 32 bit architecture or 23716384 in a 64 bit architecture. For information on these kernel versions 238see http://pusa.uv.es/~ulisses/packet_mmap/packet_mmap.pre-2.4.26_2.6.5.txt 239 240 Block size limit 241------------------ 242 243As stated earlier, each block is a contiguous physical region of memory. These 244memory regions are allocated with calls to the __get_free_pages() function. As 245the name indicates, this function allocates pages of memory, and the second 246argument is "order" or a power of two number of pages, that is 247(for PAGE_SIZE == 4096) order=0 ==> 4096 bytes, order=1 ==> 8192 bytes, 248order=2 ==> 16384 bytes, etc. The maximum size of a 249region allocated by __get_free_pages is determined by the MAX_ORDER macro. More 250precisely the limit can be calculated as: 251 252 PAGE_SIZE << MAX_ORDER 253 254 In a i386 architecture PAGE_SIZE is 4096 bytes 255 In a 2.4/i386 kernel MAX_ORDER is 10 256 In a 2.6/i386 kernel MAX_ORDER is 11 257 258So get_free_pages can allocate as much as 4MB or 8MB in a 2.4/2.6 kernel 259respectively, with an i386 architecture. 260 261User space programs can include /usr/include/sys/user.h and 262/usr/include/linux/mmzone.h to get PAGE_SIZE MAX_ORDER declarations. 263 264The pagesize can also be determined dynamically with the getpagesize (2) 265system call. 266 267 268 Block number limit 269-------------------- 270 271To understand the constraints of PACKET_MMAP, we have to see the structure 272used to hold the pointers to each block. 273 274Currently, this structure is a dynamically allocated vector with kmalloc 275called pg_vec, its size limits the number of blocks that can be allocated. 276 277 +---+---+---+---+ 278 | x | x | x | x | 279 +---+---+---+---+ 280 | | | | 281 | | | v 282 | | v block #4 283 | v block #3 284 v block #2 285 block #1 286 287 288kmalloc allocates any number of bytes of physically contiguous memory from 289a pool of pre-determined sizes. This pool of memory is maintained by the slab 290allocator which is at the end the responsible for doing the allocation and 291hence which imposes the maximum memory that kmalloc can allocate. 292 293In a 2.4/2.6 kernel and the i386 architecture, the limit is 131072 bytes. The 294predetermined sizes that kmalloc uses can be checked in the "size-<bytes>" 295entries of /proc/slabinfo 296 297In a 32 bit architecture, pointers are 4 bytes long, so the total number of 298pointers to blocks is 299 300 131072/4 = 32768 blocks 301 302 303 PACKET_MMAP buffer size calculator 304------------------------------------ 305 306Definitions: 307 308<size-max> : is the maximum size of allocable with kmalloc (see /proc/slabinfo) 309<pointer size>: depends on the architecture -- sizeof(void *) 310<page size> : depends on the architecture -- PAGE_SIZE or getpagesize (2) 311<max-order> : is the value defined with MAX_ORDER 312<frame size> : it's an upper bound of frame's capture size (more on this later) 313 314from these definitions we will derive 315 316 <block number> = <size-max>/<pointer size> 317 <block size> = <pagesize> << <max-order> 318 319so, the max buffer size is 320 321 <block number> * <block size> 322 323and, the number of frames be 324 325 <block number> * <block size> / <frame size> 326 327Suppose the following parameters, which apply for 2.6 kernel and an 328i386 architecture: 329 330 <size-max> = 131072 bytes 331 <pointer size> = 4 bytes 332 <pagesize> = 4096 bytes 333 <max-order> = 11 334 335and a value for <frame size> of 2048 bytes. These parameters will yield 336 337 <block number> = 131072/4 = 32768 blocks 338 <block size> = 4096 << 11 = 8 MiB. 339 340and hence the buffer will have a 262144 MiB size. So it can hold 341262144 MiB / 2048 bytes = 134217728 frames 342 343 344Actually, this buffer size is not possible with an i386 architecture. 345Remember that the memory is allocated in kernel space, in the case of 346an i386 kernel's memory size is limited to 1GiB. 347 348All memory allocations are not freed until the socket is closed. The memory 349allocations are done with GFP_KERNEL priority, this basically means that 350the allocation can wait and swap other process' memory in order to allocate 351the necessary memory, so normally limits can be reached. 352 353 Other constraints 354------------------- 355 356If you check the source code you will see that what I draw here as a frame 357is not only the link level frame. At the beginning of each frame there is a 358header called struct tpacket_hdr used in PACKET_MMAP to hold link level's frame 359meta information like timestamp. So what we draw here a frame it's really 360the following (from include/linux/if_packet.h): 361 362/* 363 Frame structure: 364 365 - Start. Frame must be aligned to TPACKET_ALIGNMENT=16 366 - struct tpacket_hdr 367 - pad to TPACKET_ALIGNMENT=16 368 - struct sockaddr_ll 369 - Gap, chosen so that packet data (Start+tp_net) aligns to 370 TPACKET_ALIGNMENT=16 371 - Start+tp_mac: [ Optional MAC header ] 372 - Start+tp_net: Packet data, aligned to TPACKET_ALIGNMENT=16. 373 - Pad to align to TPACKET_ALIGNMENT=16 374 */ 375 376 377 The following are conditions that are checked in packet_set_ring 378 379 tp_block_size must be a multiple of PAGE_SIZE (1) 380 tp_frame_size must be greater than TPACKET_HDRLEN (obvious) 381 tp_frame_size must be a multiple of TPACKET_ALIGNMENT 382 tp_frame_nr must be exactly frames_per_block*tp_block_nr 383 384Note that tp_block_size should be chosen to be a power of two or there will 385be a waste of memory. 386 387-------------------------------------------------------------------------------- 388+ Mapping and use of the circular buffer (ring) 389-------------------------------------------------------------------------------- 390 391The mapping of the buffer in the user process is done with the conventional 392mmap function. Even the circular buffer is compound of several physically 393discontiguous blocks of memory, they are contiguous to the user space, hence 394just one call to mmap is needed: 395 396 mmap(0, size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); 397 398If tp_frame_size is a divisor of tp_block_size frames will be 399contiguously spaced by tp_frame_size bytes. If not, each 400tp_block_size/tp_frame_size frames there will be a gap between 401the frames. This is because a frame cannot be spawn across two 402blocks. 403 404At the beginning of each frame there is an status field (see 405struct tpacket_hdr). If this field is 0 means that the frame is ready 406to be used for the kernel, If not, there is a frame the user can read 407and the following flags apply: 408 409+++ Capture process: 410 from include/linux/if_packet.h 411 412 #define TP_STATUS_COPY 2 413 #define TP_STATUS_LOSING 4 414 #define TP_STATUS_CSUMNOTREADY 8 415 416 417TP_STATUS_COPY : This flag indicates that the frame (and associated 418 meta information) has been truncated because it's 419 larger than tp_frame_size. This packet can be 420 read entirely with recvfrom(). 421 422 In order to make this work it must to be 423 enabled previously with setsockopt() and 424 the PACKET_COPY_THRESH option. 425 426 The number of frames than can be buffered to 427 be read with recvfrom is limited like a normal socket. 428 See the SO_RCVBUF option in the socket (7) man page. 429 430TP_STATUS_LOSING : indicates there were packet drops from last time 431 statistics where checked with getsockopt() and 432 the PACKET_STATISTICS option. 433 434TP_STATUS_CSUMNOTREADY: currently it's used for outgoing IP packets which 435 its checksum will be done in hardware. So while 436 reading the packet we should not try to check the 437 checksum. 438 439for convenience there are also the following defines: 440 441 #define TP_STATUS_KERNEL 0 442 #define TP_STATUS_USER 1 443 444The kernel initializes all frames to TP_STATUS_KERNEL, when the kernel 445receives a packet it puts in the buffer and updates the status with 446at least the TP_STATUS_USER flag. Then the user can read the packet, 447once the packet is read the user must zero the status field, so the kernel 448can use again that frame buffer. 449 450The user can use poll (any other variant should apply too) to check if new 451packets are in the ring: 452 453 struct pollfd pfd; 454 455 pfd.fd = fd; 456 pfd.revents = 0; 457 pfd.events = POLLIN|POLLRDNORM|POLLERR; 458 459 if (status == TP_STATUS_KERNEL) 460 retval = poll(&pfd, 1, timeout); 461 462It doesn't incur in a race condition to first check the status value and 463then poll for frames. 464 465 466++ Transmission process 467Those defines are also used for transmission: 468 469 #define TP_STATUS_AVAILABLE 0 // Frame is available 470 #define TP_STATUS_SEND_REQUEST 1 // Frame will be sent on next send() 471 #define TP_STATUS_SENDING 2 // Frame is currently in transmission 472 #define TP_STATUS_WRONG_FORMAT 4 // Frame format is not correct 473 474First, the kernel initializes all frames to TP_STATUS_AVAILABLE. To send a 475packet, the user fills a data buffer of an available frame, sets tp_len to 476current data buffer size and sets its status field to TP_STATUS_SEND_REQUEST. 477This can be done on multiple frames. Once the user is ready to transmit, it 478calls send(). Then all buffers with status equal to TP_STATUS_SEND_REQUEST are 479forwarded to the network device. The kernel updates each status of sent 480frames with TP_STATUS_SENDING until the end of transfer. 481At the end of each transfer, buffer status returns to TP_STATUS_AVAILABLE. 482 483 header->tp_len = in_i_size; 484 header->tp_status = TP_STATUS_SEND_REQUEST; 485 retval = send(this->socket, NULL, 0, 0); 486 487The user can also use poll() to check if a buffer is available: 488(status == TP_STATUS_SENDING) 489 490 struct pollfd pfd; 491 pfd.fd = fd; 492 pfd.revents = 0; 493 pfd.events = POLLOUT; 494 retval = poll(&pfd, 1, timeout); 495 496------------------------------------------------------------------------------- 497+ PACKET_TIMESTAMP 498------------------------------------------------------------------------------- 499 500The PACKET_TIMESTAMP setting determines the source of the timestamp in 501the packet meta information. If your NIC is capable of timestamping 502packets in hardware, you can request those hardware timestamps to used. 503Note: you may need to enable the generation of hardware timestamps with 504SIOCSHWTSTAMP. 505 506PACKET_TIMESTAMP accepts the same integer bit field as 507SO_TIMESTAMPING. However, only the SOF_TIMESTAMPING_SYS_HARDWARE 508and SOF_TIMESTAMPING_RAW_HARDWARE values are recognized by 509PACKET_TIMESTAMP. SOF_TIMESTAMPING_SYS_HARDWARE takes precedence over 510SOF_TIMESTAMPING_RAW_HARDWARE if both bits are set. 511 512 int req = 0; 513 req |= SOF_TIMESTAMPING_SYS_HARDWARE; 514 setsockopt(fd, SOL_PACKET, PACKET_TIMESTAMP, (void *) &req, sizeof(req)) 515 516If PACKET_TIMESTAMP is not set, a software timestamp generated inside 517the networking stack is used (the behavior before this setting was added). 518 519See include/linux/net_tstamp.h and Documentation/networking/timestamping 520for more information on hardware timestamps. 521 522-------------------------------------------------------------------------------- 523+ THANKS 524-------------------------------------------------------------------------------- 525 526 Jesse Brandeburg, for fixing my grammathical/spelling errors 527 528