Design and Implementation of a Fast Dynamic Packet Filter

This paper presents Swift, a packet filter for high-performance packet capture on commercial off-the-shelf hardware. The key features of the Swift include: 1) extremely low filter update latency for dynamic packet filtering, and 2) gigabits-per-second high-speed packet processing. Based on complex instruction set computer (CISC) instruction set architecture (ISA), Swift achieves the former with an instruction set design that avoids the need for compilation and security checking, and the latter by mainly utilizing single instruction, multiple data (SIMD). We implement Swift in the Linux 2.6 kernel for both i386 and x86_64 architectures and extensively evaluate its dynamic and static filtering performance on multiple machines with different hardware setups. We compare Swift to BPF (the BSD packet filter)-the de facto standard for packet filtering in modern operating systems-and hand-coded optimized C filters that are used for demonstrating possible performance gains. For dynamic filtering tasks, Swift is at least three orders of magnitude faster than BPF in terms of filter update latency. For static filtering tasks, Swift outperforms BPF up to three times in terms of packet processing speed and achieves much closer performance to the optimized C filters. We also show that Swift can harness the processing power of hardware SIMD instructions by virtue of its SIMD-capable instruction set.