Network packet brokers (also called Network TAP aggregation switches) sit between your network infrastructure and monitoring tools, filtering, aggregating, and distributing traffic copies to the right analysis systems. While enterprise solutions from vendors like Gigamon and Ixia dominate the market, open-source alternatives provide capable packet brokering functionality for budget-conscious organizations.

This guide covers self-hosted approaches to network packet brokering using open-source tools, software switches, and eBPF-based traffic distribution.

What is a Network Packet Broker?

A network packet broker receives traffic copies from Network TAPs (Test Access Points) or port mirroring (SPAN) sessions, then intelligently distributes that traffic to monitoring tools based on rules you define. Key functions include:

Aggregation: Combining traffic from multiple TAP points into a single stream for centralized analysis. Filtering: Sending only relevant traffic (specific VLANs, protocols, or IP ranges) to each tool, reducing processing load. Load Balancing: Distributing high-volume traffic across multiple instances of the same monitoring tool. Packet Slicing: Stripping payload data and sending only headers to tools that don’t need full packet content, reducing bandwidth. Deduplication: Removing duplicate packets seen from multiple TAP points. Timestamping: Adding precise hardware or software timestamps for latency analysis.

Why Self-Host Packet Brokering?

Cost: Hardware packet brokers cost $10,000 to $100,000+ depending on port count and throughput. Open-source software alternatives run on commodity hardware.

Flexibility: Software-based packet brokering adapts to changing network topologies without hardware reconfiguration. New filtering rules deploy in minutes rather than requiring physical cable changes.

Edge Deployments: Small offices, branch locations, and edge computing sites need packet brokering but cannot justify the cost of hardware appliances. Software solutions fill this gap.

Integration: Open-source packet brokering tools integrate directly with your existing monitoring stack — Prometheus, Grafana, ELK — without vendor lock-in.

Open vSwitch for Packet Brokering

Open vSwitch (OVS) is the most widely deployed open-source virtual switch. While primarily designed for virtualization and cloud networking, its advanced flow-table capabilities make it a capable software packet broker.

Architecture

OVS uses OpenFlow rules to match packets based on any field in the Ethernet, IP, TCP, or UDP headers. Traffic matching specific rules can be forwarded to multiple output ports (for aggregation), sampled at configurable rates, or modified before forwarding.

Key Features

  • OpenFlow Rules: Match on any packet field — VLAN, IP, TCP flags, ports, protocols
  • Multiple Output Actions: Send copies of matching packets to multiple monitoring ports
  • Sampling (sFlow): Sample traffic at configurable rates for high-volume links
  • Tunnel Support: GRE, VXLAN, and Geneve tunnels for distributed monitoring
  • DPDK Acceleration: Optional DPDK datapath for line-rate packet processing

Deployment with Docker Compose

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

version: "3.8"
services:
  ovs-broker:
    image: openvswitch/ovs:latest
    container_name: ovs-broker
    privileged: true
    network_mode: "host"
    volumes:
      - /var/run/openvswitch:/var/run/openvswitch
      - ./ovs-config:/etc/openvswitch
    command: >
      ovs-vswitchd --pidfile --detach --log-file=/var/log/ovs-vswitchd.log
    restart: unless-stopped

  ovs-config:
    image: openvswitch/ovs:latest
    container_name: ovs-config-runner
    privileged: true
    network_mode: "host"
    volumes:
      - /var/run/openvswitch:/var/run/openvswitch
    command: >
      bash -c "
      ovs-vsctl add-br br-monitor &&
      ovs-vsctl add-port br-monitor eth1 &&
      ovs-vsctl add-port br-monitor eth2 &&
      ovs-vsctl add-port br-monitor monitor0 -- set Interface monitor0 type=internal &&
      echo 'Bridge configured'
      "
    depends_on:
      - ovs-broker

Configure traffic mirroring with OpenFlow:

1
2
3
4
5
6
7
8

# Mirror all traffic from eth1 and eth2 to monitor0
ovs-vsctl --   -- set Bridge br-monitor mirrors=@m --   -- --id=@eth1 get Port eth1 --   -- --id=@eth2 get Port eth2 --   -- --id=@monitor0 get Port monitor0 --   -- --id=@m create Mirror name=mirror-all     select-all=true output-port=@monitor0 select-src-port=@eth1,@eth2

# Add VLAN-based filtering: only mirror VLAN 100 traffic
ovs-ofctl add-flow br-monitor   "priority=100,dl_vlan=100,actions=output:monitor0"

# Sample 1 in 1000 packets for sFlow analysis
ovs-vsctl -- --id=@s create sFlow   agent=eth1 target="monitoring-host:6343" header=128 sampling=1000 polling=10 --   set Bridge br-monitor sflow=@s

Strengths and Limitations

OVS is the most mature and feature-rich open-source option. Its OpenFlow support provides granular traffic filtering, and DPDK acceleration enables line-rate processing on supported hardware. The large community means extensive documentation and troubleshooting resources.

The limitation is complexity — OVS has a steep learning curve, and configuring advanced mirroring rules requires OpenFlow expertise. Additionally, OVS runs in kernel space by default, which limits throughput compared to dedicated hardware packet brokers.

PF_RING for High-Performance Packet Distribution

PF_RING is a Linux kernel module and user-space library that provides high-speed packet capture and distribution. The PF_RING ZC (Zero Copy) variant enables packet brokering at multi-gigabit speeds.

Architecture

PF_RING replaces the standard Linux network stack for captured traffic, routing packets directly from the NIC to user-space applications with minimal copying. The PF_RING DNA (Direct NIC Access) variant bypasses the kernel entirely for maximum throughput.

Key Features

  • Zero-Copy Architecture: Packets move directly from NIC to application memory
  • Multi-Gigabit Throughput: 10Gbps+ on commodity hardware with PF_RING ZC
  • Hardware Timestamping: NIC-level timestamps for precise latency measurement
  • Packet Filtering: BPF-based filtering at the driver level
  • Cluster Mode: Distribute packets across multiple application instances

Deployment Setup

PF_RING requires kernel module compilation:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Install PF_RING from source
git clone https://github.com/ntop/PF_RING.git
cd PF_RING/kernel
make && sudo make install

# Load the module
sudo insmod pf_ring.ko transparent_mode=2

# Install user-space libraries
cd ../userland/lib && make && sudo make install
cd ../libpcap && ./configure && make && sudo make install

# Start a packet distributor
sudo pfringbridge -i eth1 -o eth2 -o eth3

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: "3.8"
services:
  pfring-broker:
    build:
      context: ./pfring
      dockerfile: Dockerfile
    container_name: pfring-broker
    privileged: true
    network_mode: "host"
    volumes:
      - /proc:/proc
      - /sys:/sys
      - ./pfring-config:/etc/pfring
    environment:
      - PF_RING_MIN_NUM_SLOTS=65536
    restart: unless-stopped

Strengths and Limitations

PF_RING delivers the highest throughput of any open-source packet brokering solution. For organizations that need 10Gbps+ traffic distribution without hardware appliances, PF_RING ZC is the only viable open-source option.

The trade-off is complexity and licensing. PF_RING ZC requires a commercial license for production use. The open-source version (PF_RING DNA) has limitations on supported NICs. Additionally, kernel module compilation and maintenance adds operational overhead.

eBPF-Based Packet Distribution

Modern Linux kernels support eBPF (extended Berkeley Packet Filter), enabling programmable packet processing entirely in kernel space. Tools like XDP (eXpress Data Path) provide line-rate packet filtering and distribution without kernel modules or DPDK.

Architecture

XDP programs run at the earliest point in the network driver, before the kernel allocates an sk_buff structure. This enables extremely low-latency packet processing — filtering, redirecting, or modifying packets with minimal overhead.

Key Features

  • Kernel-Native: No external kernel modules required (built into Linux 4.8+)
  • Line-Rate Processing: XDP programs run at NIC speed with zero overhead
  • Programmable Filtering: Custom packet matching using C programs compiled to eBPF bytecode
  • Safe Execution: eBPF verifier ensures programs cannot crash the kernel
  • Integration with cilium/ebpf: Rich Go library for building custom XDP programs

Deployment with Docker Compose

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: "3.8"
services:
  xdp-broker:
    build:
      context: ./xdp-broker
      dockerfile: Dockerfile
    container_name: xdp-broker
    privileged: true
    network_mode: "host"
    volumes:
      - /sys/fs/bpf:/sys/fs/bpf
      - ./xdp-programs:/etc/xdp
    environment:
      - XDP_INTERFACE=eth1
      - MONITOR_INTERFACE=monitor0
    restart: unless-stopped

Build and load an XDP program:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Install build dependencies
sudo apt install clang llvm libelf-dev

# Compile the XDP program
clang -O2 -target bpf -c xdp_broker.c -o xdp_broker.o

# Load the XDP program on the ingress interface
sudo ip link set dev eth1 xdp obj xdp_broker.o sec xdp

# Verify it's loaded
ip link show dev eth1 | grep xdp

Example XDP broker program:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <bpf/bpf_helpers.h>

struct {
    __uint(type, BPF_MAP_TYPE_ARRAY);
    __uint(max_entries, 1);
    __type(key, __u32);
    __type(value, __u32);
} monitor_ifindex SEC(".maps");

SEC("xdp")
int xdp_broker(struct xdp_md *ctx) {
    void *data = (void *)(long)ctx->data;
    void *data_end = (void *)(long)ctx->data_end;
    
    struct ethhdr *eth = data;
    if ((void *)eth + sizeof(*eth) > data_end)
        return XDP_PASS;
    
    // Mirror all IPv4 TCP traffic to monitor interface
    if (eth->h_proto == htons(ETH_P_IP)) {
        struct iphdr *iph = data + sizeof(*eth);
        if ((void *)iph + sizeof(*iph) > data_end)
            return XDP_PASS;
        
        if (iph->protocol == IPPROTO_TCP) {
            __u32 key = 0;
            __u32 *mon = bpf_map_lookup_elem(&monitor_ifindex, &key);
            if (mon) {
                bpf_redirect(*mon, 0);
            }
        }
    }
    
    return XDP_PASS;
}

char _license[] SEC("license") = "GPL";

Strengths and Limitations

eBPF/XDP represents the future of software packet brokering. It provides line-rate performance without kernel modules, DPDK, or specialized hardware. The eBPF verifier ensures safety, and the growing ecosystem of tools (cilium/ebpf, libbpf) makes development accessible.

The limitations are primarily around maturity — XDP support varies by NIC driver, and complex packet brokering features (deduplication, packet slicing) require custom development. The tooling ecosystem is still evolving compared to the maturity of OVS.

Choosing the Right Packet Brokering Solution

FeatureOpen vSwitchPF_RING ZCXDP/eBPF
Throughput1-4 Gbps10-100 Gbps10-100 Gbps
Kernel ModuleNoYesNo (kernel built-in)
ConfigurationOpenFlow rulesCLI/APIC programs
Learning CurveHighMediumHigh
LicensingApache 2.0Commercial (ZC)GPL
CommunityVery largeModerateGrowing rapidly
Best ForVirtualized/cloud monitoringHigh-speed physical networksModern Linux infrastructure

When to Use Open vSwitch

Choose OVS when you need flexible packet filtering with familiar OpenFlow semantics and strong community support. It is ideal for virtualized environments, cloud infrastructure, and organizations already using OVS for network virtualization.

When to Use PF_RING

Choose PF_RING when you need maximum throughput on physical networks with commodity hardware. If you are processing 10Gbps+ of mirrored traffic and cannot afford hardware packet brokers, PF_RING ZC delivers the performance you need.

When to Use XDP/eBPF

Choose XDP when you are running modern Linux kernels (5.x+) and want kernel-native packet processing without external dependencies. It is ideal for organizations investing in eBPF-based observability and security tooling.

Why Self-Host Packet Brokering?

Hardware network packet brokers are expensive, vendor-locked, and often over-provisioned for smaller deployments. Self-hosted software alternatives deliver comparable functionality on commodity hardware at a fraction of the cost.

For organizations with distributed infrastructure — multiple branch offices, edge computing sites, or hybrid cloud deployments — software packet brokering provides the flexibility to adapt monitoring configurations as the network evolves. New TAP points, additional monitoring tools, and changing traffic patterns can be accommodated through configuration changes rather than hardware procurement.

For network flow analysis, see our pmacct vs nfdump guide. If you need ICMP network probing tools, check our fping vs hping3 vs nping comparison. For broader network monitoring, our Blackbox Exporter vs Gatus guide covers endpoint monitoring options.

Frequently Asked Questions

What is the difference between a Network TAP and a packet broker?

A Network TAP (Test Access Point) is a hardware device that passively copies network traffic from a link. A packet broker receives traffic from multiple TAPs and intelligently distributes it to monitoring tools. Think of TAPs as the “eyes” on the network and packet brokers as the “brain” that decides which tool sees which traffic.

Can software packet brokers handle 10Gbps+ traffic?

Yes, but with caveats. PF_RING ZC and XDP/eBPF can handle 10-100Gbps on modern hardware with appropriate NICs. Open vSwitch without DPDK typically maxes out around 1-4Gbps. The key factor is whether your solution uses kernel-bypass (DPDK, PF_RING ZC, XDP) or processes packets through the standard Linux network stack.

How do I choose which traffic to send to which monitoring tool?

Use protocol-based filtering: send all HTTP/HTTPS traffic to your web application firewall, DNS traffic to your DNS monitoring tool, and everything else to your general-purpose IDS. VLAN-based filtering is another common approach — each VLAN maps to a different monitoring tool or team.

Do I need a packet broker for a small network?

For networks with fewer than 100 devices and a single monitoring tool, port mirroring (SPAN) on your switch is usually sufficient. Packet brokers become valuable when you have multiple monitoring tools that need different subsets of traffic, or when the volume of mirrored traffic exceeds what a single analysis tool can process.

Can I use a packet broker for security monitoring?

Yes, this is one of the most common use cases. A packet broker distributes traffic copies to your IDS/IPS (Suricata, Snort), network forensics system (Arkime), and anomaly detection tools. Filtering ensures each tool only receives the traffic it needs to analyze, improving detection accuracy and reducing false positives.

What happens if the packet broker fails?

In a well-designed architecture, the packet broker sits on a monitoring copy of the traffic, not the production path. If the broker fails, monitoring tools lose visibility but production traffic continues normally. For critical monitoring, run redundant packet broker instances with failover configuration.