A key aspect to performance is that most processing takes place at the lowest possible level, e.g. in the kernel or network processor. For example, in the FFPF implementation on IXP1200 network processors, packet processing and buffer management are handled entirely by the IXP.
As shown in Figure 4, FFPF spans all three levels of the processing hierarchy: userspace, kernel, and network interface. Filters can be loaded at any of these levels. The figure shows that filters from lower levels (e.g. the network card) may be connected to filters at higher levels. For instance, first-pass filtering may take place at the IXP1200, followed by more expensive processing at the host. A similar approach is found for instance in paths in the Scout OS [4]. Where in the processing hierarchy filters should be loaded depends on the availability of filter classes in each space and the trade-off in efficiency vs. stability at each level. Users need not concern themselves with this task as the deployment decision is made automatically by the FFPF toolkit.
The shaded areas in the figure indicate APIs that we developed on top
of the native FFPF interface. The libpcap
implementation
guarantees backward compatibility with a host of applications. As
shown in Section 5, running legacy libpcap
applications on FFPF rather than on the existing Linux framework also
leads to a significant performance boost. The MAPI is a very powerful
monitoring API developed within the SCAMPI
project [30]. Since FFPF's functionality exceeds that
of both pcap
and MAPI
, the implementation of these
interfaces involved just a few hours work. The FFPF toolkit
supports automatic allocation of filters to the most optimal place in
the processing hierarchy. Moreover, when a new flow grabber is
instantiated, the toolkit automatically tries to merge it with already
existing `filter graphs', so that every common prefix is executed only
once.