Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Idea

This came to me during an outdoor run, the first one in a month or two letting myself go. A good reminder that working out really benefits you and makes life better overall.

LATER UPDATE, I did some work on this: Check the following branch: https://github.com/thiezn/mrpf/compare/main...mm/attempttomovetosendmsg

My idea:

I’m building a verty fast and memory efficient tcp syn scanner using rust pnet library on the datalink layer.

I’ve split transmit and receive of packets into separate threads.

The transmit thread at the moment composes a tcp packet from the ethernet layer up, and then uses the pnet datalink tx channel to send traffic out. The send function is taking up a large percentage of the total memory used.

What if i would create a larger buffer where i combine multiple packets, and then finally send that full buffer using the datalink tx channel in one go. Does the network layer below that be able to send those packets in one go and would it perhaps reduce memory footprint and less switching of user and kernel space?

Clearly think about your response and outline the pro’s con’s and potential pitfalls

Copilot’s response (Replaced initial response with a new response on GPT5.2. Perhaps we should re-run the question everytime there are more capable models?)

⚠️ Quick safety note (because the same techniques are dual‑use): I’ll focus on generic packet I/O efficiency (buffering, syscall/copy reduction, and memory behavior) and not on tactics for aggressive scanning or evasion.

Short answer

No—you generally can’t concatenate multiple Ethernet frames into one big buffer and send them “in one go” through pnet’s datalink TX channel and expect the kernel/NIC to split them into multiple packets. A datalink send call corresponds to one link-layer frame; the kernel will treat your buffer as one frame, and if it’s larger than MTU/jumbo limits it will typically be dropped or error out. Linux’s packet socket docs explicitly describe TX as queuing the user supplied buffer as a packet to the driver, unmodified. [man7.org]

If your goal is fewer copies/allocations, the more “native” way in pnet is to use build_and_send (construct in-place in a preallocated write buffer), and/or use a kernel interface designed for batching such as PACKET_MMAP / PACKET_TX_RING—but that’s outside what pnet exposes directly. [docs.rs], [kernel.org]

Why concatenation doesn’t work (and what would happen)

1) Frame boundaries matter at L2

Packet sockets / datalink TX is message-oriented: you provide one buffer = one packet. Linux packet sockets say: “When transmitting a packet, the user-supplied buffer should contain the physical-layer header. That packet is then queued unmodified to the network driver…” [man7.org]

So if you concatenate N frames:

  • The kernel/NIC won’t “parse” your blob into N frames.
  • You’ll instead attempt to transmit one oversized Ethernet frame.

2) MTU/jumbo constraints become a hard limit

Ethernet has an MTU (typically 1500 payload; ~1514/1518 with headers/FCS). If your concatenated “super-frame” exceeds MTU/jumbo settings, you’ll see:

  • sendto errors (depending on backend),
  • driver drops,
  • or silent drops downstream (switch/NIC). [man7.org]

3) Even with jumbo frames, it’s still one frame

Jumbo frames just increase the maximum size of a single frame; they do not turn one write into multiple frames.

Bottom line: concatenation is not a batching mechanism at Ethernet level.

What will help: in-place build + reusable buffers (within pnet)

Use build_and_send instead of send_to

pnet_datalink::DataLinkSender documents two TX paths:

  • send_to(packet, ...) may require an additional copy depending on OS/backend. [docs.rs]
  • build_and_send(num_packets, packet_size, closure) calls your closure with a mutable slice backed by pnet’s write buffer, letting you build in-place and avoid that copy. [docs.rs], [docs.rs]

That’s the closest thing pnet provides to what you’re trying to do (reduce allocations/copies), without changing the semantics of “one frame per send”.

Pros

  • Lower allocation pressure / fewer transient buffers (build into a preallocated write buffer). [docs.rs], [docs.rs]
  • Often lower memory footprint in profilers because you’re not allocating per packet in user space (or causing extra copies). [docs.rs]

Cons / pitfalls

  • You must size packet_size correctly and keep construction strictly within that slice.
  • Your throughput can still be limited by syscall-per-packet and driver/NIC queueing (you’ve reduced copies, not necessarily syscalls).
  • Some backends/options are “hints” and may be ignored. [docs.rs]

Tune pnet::datalink::Config for buffer sizing

Config has write_buffer_size and read_buffer_size (default 4096) that influence internal buffering.
While this doesn’t enable “multi-frame send”, it can: [docs.rs]

  • prevent “insufficient capacity” paths in build_and_send,
  • reduce internal reallocations if you accidentally trigger growth elsewhere. [docs.rs], [docs.rs]

Pitfall: Oversizing these buffers can increase baseline RSS if you create many channels/threads.

If your real goal is fewer syscalls / kernel crossings: use an API that supports batching

If your profiler shows “send” dominating time/memory, the root cause is often syscall/copy overhead and kernel socket buffer churn, not the packet crafting itself.

PACKET_MMAP / TX_RING (Linux): designed for batching & fewer copies

Linux kernel docs describe PACKET_MMAP as a shared ring buffer mapped into user space that can be used to send/receive packets efficiently, reducing syscalls and packet copies; for transmission, multiple packets can be sent through one system call.
A practical explanation also notes you can place multiple packets into the TX ring and then make one syscall to notify the kernel to transmit them. [kernel.org] [csulrong.github.io]

Pros

  • Fewer syscalls (batch kick).
  • Fewer copies (shared memory ring reduces user↔kernel copying). [kernel.org], [csulrong.github.io]
  • Potentially much better CPU efficiency at high packet rates.

Cons / pitfalls

  • Complexity: ring management, status flags, alignment, backpressure.
  • Portability: Linux-specific (and kernel-version nuances).
  • Still not “free”: NIC limits, qdisc, driver behavior can bottleneck.
  • Not directly exposed by pnet’s public API (you’d likely need a different crate or custom bindings). (pnet_datalink mentions Linux uses AF_PACKET, but doesn’t claim PACKET_MMAP support.) [docs.rs]

AF_XDP / DPDK / netmap (even faster, even more complexity)

These are the next tier for raw packet TX at very high rates, but they’re much more invasive and typically require:

  • pinned memory,
  • special driver support,
  • significant setup code,
  • reduced portability.

(Just flagging the existence; not recommending unless you truly need it.)

“Bigger buffer” idea — pros, cons, pitfalls (explicitly)

✅ Potential pros (in theory)

  • If your current code allocates one Vec per packet, switching to a reused buffer (not concatenated) can reduce allocator churn and transient memory.
  • If you move to a ring/buffer pool, you can improve cache locality and reduce fragmentation.

❌ Cons / why it won’t accomplish what you think (with pnet)

  • Concatenation does not mean multi-frame TX; it means one oversized frame. [man7.org]
  • You may hit MTU limits and drop/error. [man7.org]
  • Even if you keep the buffer ≤ MTU, you’ve just built one packet, not many.

⚠️ Pitfalls you’re likely to run into

  • Silent drops due to size/driver constraints.
  • Incorrect framing (Ethernet preamble/FCS are not in your buffer; NIC handles them per frame—another reason it can’t “split”).
  • Backpressure behavior changes: buffering many packets in user space can increase latency and burstiness.
  • Offload interactions: if you craft checksums yourself, NIC offloads can cause surprises; you may need to manage/disable offloads depending on your environment (generic caution).

Practical recommendations (lowest effort → highest impact)

1) Make sure you’re using build_and_send

This is the intended way in pnet to avoid extra copies vs send_to. [docs.rs], [docs.rs]

2) Reuse packet templates / avoid per-packet allocations

  • Build a baseline Ethernet+IPv4+TCP SYN template once in a fixed-size buffer.
  • For each packet, only mutate the fields that change (src IP/port, seq, checksum).
  • Use a small buffer pool if you need parallelism.

(You’ll typically see big wins if your “send” cost is actually “allocate+copy+send”.)

3) Tune Config.write_buffer_size

Ensure it’s comfortably ≥ your frame size so build_and_send has capacity and doesn’t fall back or fail. [docs.rs], [docs.rs]

4) If you truly need batching across syscalls: switch backend

If the syscall boundary is the bottleneck, the real fix is a batching-capable mechanism like PACKET_MMAP TX_RING on Linux.
This is a design change (and likely not pnet), but it’s the correct way to do “send many packets with one kick”. [kernel.org], [csulrong.github.io]

A couple clarifying questions (so I can give sharper advice)

  1. Which OS are you targeting (Linux only, or cross-platform)? pnet backends differ a lot. [docs.rs]
  2. When you say “send is taking a large percentage of total memory used”: do you mean RSS growth, allocations/sec, or heap retained (e.g., from jemalloc/mimalloc stats)?
  3. Are you currently calling send_to with a freshly allocated Vec<u8> each time, or reusing a buffer?

If you share a small (sanitized) snippet of your TX loop (just buffer creation + pnet send call), I can point out the most likely allocation/copy hotspots and how to restructure them without changing your overall architecture.