linux – Is it possible to intercept packets from a network device before being processed by the kernel?


Problem: There is some slow (processor) device with a 1Gbit network card. A UDP echo server application was written. During the research, it was found that after passing a certain number of packets, their massive losses begin, i.e. if 500 was sent, then the first 200 were returned (packets were marked), the rest are lost. From which it was concluded that the kernel accumulates rapidly arriving packets until it fills its buffers, and only then gives them to the application for processing. Is it possible to change this behavior of the kernel?

Next, a small kernel module was written that uses the dev_add_pack hook, the situation has not changed much, since the interceptor receives packets from the message queue.

Objective: To intercept and filter packets before placing them in the kernel queue, and, if possible (not a prerequisite, you can decide otherwise), process and send them back.

Question: What other low-level packet capture methods exist besides dev_add_pack, nf_register_hook, rewriting the network device driver?


Searches on the Internet gave the following information. There are such components: netmap – the main part is a kernel module, it provides user-space applications to work with driver ring buffers directly, which reduces the overhead of multiple data copying, but you have to work with raw packages. Cons: Supports a limited set of network device drivers. Because It intercepts packages from modified drivers, not from the kernel. Explanations and a diagram of interaction with the kernel, stack and application were found in the English version of SO.

PF_RING – An analogue of netmap, but with its own peculiarities, I did not study the differences in detail.

Intel DPDK as understood, for Intel cards, presentation

Total: packets can be intercepted before they are received by the kernel, but this will require intervention in the source code of the network card driver, or use the above packages, they have already done this.

Scroll to Top