Capture Modes
Rockfish Probe supports multiple capture backends for different platforms and performance requirements.
Capture Types
| Type | Platform | Description |
|---|---|---|
pcap | All | Standard libpcap (portable) |
afpacket | Linux | AF_PACKET with TPACKET_V3 (high-performance) |
netmap | FreeBSD | Netmap framework (high-performance) |
fmadio | Linux | FMADIO appliance ring buffer |
libpcap (Default)
The most portable option, works on all platforms.
input:
source: eth0
live_type: pcap
filter: "tcp or udp"
snaplen: 65535
sudo rockfish_probe -i eth0 --live pcap --parquet-dir ./flows
Pros
- Works everywhere (Linux, FreeBSD, macOS)
- Supports BPF filters
- Well-documented
Cons
- Lower performance than kernel-bypass methods
- Copies packets through kernel
AF_PACKET (Linux)
High-performance capture using Linux’s TPACKET_V3 with memory-mapped ring buffers.
input:
source: eth0
live_type: afpacket
afpacket:
block_size: 2097152 # 2 MB blocks
block_count: 64 # 128 MB total ring
fanout_group: 0 # 0 = disabled
fanout_mode: hash
sudo rockfish_probe -i eth0 --live afpacket \
--afp-block-size 2097152 \
--afp-block-count 64 \
--parquet-dir ./flows
Ring Buffer Sizing
Total Ring Buffer = block_size × block_count
Default: 2 MB × 64 = 128 MB
For 10 Gbps+:
afpacket:
block_size: 4194304 # 4 MB
block_count: 128 # 512 MB total
Fanout Mode
Distribute packets across multiple processes:
afpacket:
fanout_group: 1 # Non-zero enables fanout
fanout_mode: hash # Distribute by flow hash
| Mode | Description |
|---|---|
hash | By flow hash (recommended for flow analysis) |
lb | Round-robin load balancing |
cpu | By receiving CPU |
rollover | Fill one socket, then next |
random | Random distribution |
Multi-Process Capture
Run multiple instances with the same fanout group:
# Terminal 1
sudo rockfish_probe -i eth0 --live afpacket \
--afp-fanout-group 1 -o flows1/
# Terminal 2
sudo rockfish_probe -i eth0 --live afpacket \
--afp-fanout-group 1 -o flows2/
Netmap (FreeBSD)
High-performance capture using FreeBSD’s netmap framework.
input:
source: em0
live_type: netmap
netmap:
rx_slots: 1024
tx_slots: 1024
poll_timeout: 1000
host_rings: false
| Option | Default | Description |
|---|---|---|
rx_slots | driver default | RX ring slot count |
tx_slots | driver default | TX ring slot count |
poll_timeout | 1000 | Poll timeout (ms) |
host_rings | false | Enable host stack access |
FMADIO (Linux)
Capture from FMADIO 100G packet capture appliances.
input:
source: ring0
live_type: fmadio
fmadio:
ring_path: /opt/fmadio/queue/lxc_ring0
include_fcs_errors: false
Note: FMADIO support is included in all Rockfish packages.
Reading PCAP Files
Process existing capture files:
# Single file
rockfish_probe -i capture.pcap --parquet-dir ./flows
# Multiple files with glob
rockfish_probe -i "/data/captures/*.pcap" --parquet-dir ./flows
# With application labeling
rockfish_probe -i capture.pcap --ndpi --parquet-dir ./flows
BPF Filters
All capture modes support BPF filters (except FMADIO):
input:
filter: "tcp or udp"
Common filters:
# Web traffic only
--filter "port 80 or port 443"
# Specific subnet
--filter "net 10.0.0.0/8"
# Exclude broadcast
--filter "not broadcast"
# DNS traffic
--filter "port 53"
Choosing a Capture Mode
| Requirement | Recommended Mode |
|---|---|
| Portability | pcap |
| Linux high-speed (1-10 Gbps) | afpacket |
| Linux 40-100 Gbps | afpacket with large ring + fanout |
| FreeBSD high-speed | netmap |
| FMADIO appliance | fmadio |
Next Steps
- Performance Tuning - Optimize for high-speed capture
- Configuration - Full configuration reference