Can I use DPDK as a packet capture module for a network monitoring application?

Question

My passive network monitoring application needs packets to be captured from network interface (at higher packet rates). The packet capture module should be able to call a monitoring function upon capture of each packet (and also write the packet in to pcap file).

I thought of using DPDK as the packet capture module in my monitoring application (as we use pcap_loop and pfring_loop in libpcap and pfring respectively), but I am not sure whether this is one of the use cases of DPDK, or, is DPDK meant to be used like this?.

So my questions are.. Can I use DPDK to fulfill my requirements?, If yes how to start?.

OS: Linux.
Karnal version: 4.
DPDK version: Latest stable.
Capture on physical device.
The capturing application has root privileges and will be used by the network administrator (as part of passive asset discovery).
I want to use DPDK because it supports capture at line rate upto 10 Gbps

Thank you.

Answer 1

Based on the updates and clarification in comment the request is Can one replace an existing application which PF_RING API calls with DPDK API which is written in C?. Simple answer to it is yes it can be done.

Here is how one should start

1. identify the Platform (preferably Linux/BSD, windows 21.02 is still work in progress)
2. identify the processor list of supported CPU
3. Identify a NIC to use from LIST of DPDK NIC
4. Set up the Linux environment with Linux Enviroment
5. Explore basic example/skeleton for basicfwd usage
6. get the start of ethernet header for packet using DPDK API rte_pktmbuf_mtod. There are many samples in DPDK/examples folder which does the same.
7. Invoke the packet processing function logic between rx_burst and tx_burst of example/skeleton.

Answer 2

Newer versions of libpcap can themselves use DPDK, at least on Linux. The libpcap on your system might, or might not, be configured to use it. (There are also versions of libpcap modified to use PF_RING.)