18.08.2016

CAPTURE BACKENDS

Name Capture speed Installation CPU load Platforms Cost Accuracy of attack detection Speed of attack detection
netmap Up to wire speed (10GE, 14 MPPS) Need kernel module and patched NIC drivers (igb, ixgbe, i40 supported). For FreeBSD could need kernel rebuild Normal Linux, FreeBSD BSD Very accurate Very fast
PF_RING Up to 2-3 MPPS, 2-3 GE Need kernel module install Very big Linux only GPLv2 Enough accurate Very fast
PF_RING ZC Up to wire speed (10GE, 14 MPPS) Need kernel module + patched drivers (provided in package) Normal Linux only Commercial ~200 euro Very accurate Very fast
pcap Very slow, 10-100 mbps Simple Huge FreeBSD, Linux GPL Not so accurate Very fast
sFLOW Up to 40-100GE Very simple Small Linux, FreeBSD, MacOS Free Accurate but depends on sampling rate. Very fast
NetFlow Up to 40-100GE Very simple Small for FastNetMon but could be huge for network equpment if implemented in software way Linux, FreeBSD, MacOS Free but could require additional licenses or hardware from network equipment vendor Not so accurate So slow, up to multiple minutes depends on flow timeout configuration on routers
AF_PACKET Up to 2 MPPS/5-10GE Very simple Normal-huge Linux (since 3.6 kernel) GPLv2 Very accurate Very fast