1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
An up to date version of this document is available online at:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING
#Install DKMS
apt-get install dkms
#We need subversion for checking out the PF_RING code we need flex and bisonfor libpcap
apt-get install subversion flex bison
#Install the debs needed for suricata.
apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-ng-dev libnet1-dev
#In the exmple we will build from the GIT repo so we will need some extra packages
apt-get install git-core automake autoconf libtool
#Go to /usr/src/ we will need to be here to build our modules
cd /usr/src/
#Checkout the PF_RING code
svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ PF_RING_CURRENT_SVN
#Create the DKMS build directory and copy files over for the main PF_RING module
mkdir /usr/src/pf_ring-4
cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/
cd /usr/src/pf_ring-4/
#Create a file called dkms.conf and place the following into the file.
nano dkms.conf
PACKAGE_NAME="pf_ring"
PACKAGE_VERSION="4"
BUILT_MODULE_NAME[0]="pf_ring"
DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/"
AUTOINSTALL="yes"
#Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04
dkms add -m pf_ring -v 4
dkms build -m pf_ring -v 4
dkms install -m pf_ring -v 4
#if you issue the following command you can see that pf_ring should now be installed as DKMS module
dkms status
#Now lets go through the steps to build a e1000e PF_RING aware driver.
mkdir /usr/src/e1000e-pf_ring-1.3.10a
cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/
#We copy this over so that DKMS can find it for driver rebuilds
cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/* /usr/src/e1000e-pf_ring-1.3.10a/
cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000e-pf_ring-1.3.10a/
#Fix the path to pf_ring.h
cd /usr/src/e1000e-pf_ring-1.3.10a/
sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' netdev.c
#Create a file called dkms.conf and place the following into the file.
nano dkms.conf
PACKAGE_NAME="e1000e-pf_ring"
PACKAGE_VERSION="1.3.10a"
BUILT_MODULE_NAME[0]="e1000e"
DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/"
AUTOINSTALL="yes"
#Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04
dkms add -m e1000e-pf_ring -v 1.3.10a
dkms build -m e1000e-pf_ring -v 1.3.10a
dkms install -m e1000e-pf_ring -v 1.3.10a
#Now lets go through the steps to build a e1000 PF_RING aware driver.
mkdir /usr/src/e1000-pf_ring-8.0.30
cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/
#We copy this over so that DKMS can find it for driver rebuilds
cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/* /usr/src/e1000-pf_ring-8.0.30
cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000-pf_ring-8.0.30
#Fix the path to pf_ring.h
cd /usr/src/e1000-pf_ring-8.0.30
sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' e1000_main.c
#Create a file called dkms.conf and place the following into the file.
nano dkms.conf
PACKAGE_NAME="e1000-pf_ring"
PACKAGE_VERSION="8.0.30"
BUILT_MODULE_NAME[0]="e1000"
DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000/"
AUTOINSTALL="yes"
dkms add -m e1000-pf_ring -v 8.0.30
dkms build -m e1000-pf_ring -v 8.0.30
dkms install -m e1000-pf_ring -v 8.0.30
#Make the dir structure to hold are PF_RING enabled userland Apps.
mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}
#Build and install the userland lib.
cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/include/linux/
cd /usr/src/PF_RING_CURRENT_SVN/userland/lib
./configure
sed -i -e 's/INSTDIR = \${DESTDIR}\/usr\/local/INSTDIR = \${DESTDIR}\/opt\/PF_RING/' Makefile
cp -f pfring_e1000e_dna.h /opt/PF_RING/include
make && make install
#Build and install the PF_RING enabled libpcap
#PF_RING enabled libpcap
cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.1.1-ring
./configure
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile.in
./configure --prefix=/opt/PF_RING && make && make install
#Build and install tcpdump using the PF_RING enabled version of libpcap
cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.1.1
./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ --enable-ipv6 && make && make install
#Pull down the latest version of suricata from the git repo and build with PF_RING support.
cd /usr/src/PF_RING_CURRENT_SVN/userland/
git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew
cd oisfnew
./autogen.sh
./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/
make && make install
#Make config and log directories for a more complete getting started see https://www.inliniac.net/blog/2010/05/10/setting-up-suricata-0-9-0-for-initial-use-on-ubuntu-lucid-10-04.html
mkdir /etc/suricata
cp suricata.yaml /etc/suricata/
cp classification.config /etc/suricata/
mkdir /var/log/suricata
#Setup options for when we intialize the module (here is the output from modinfo)
#parm: num_slots:Number of ring slots (uint)
#parm: transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint)
#parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)
#parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
echo "options pf_ring transparent_mode=0 num_slots=32768 enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf
#start up suricata with PF_RING support currently these options don't have very much effect with the AutoMode but see src/runmodes.c for more more options.
/opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
#To check the status of PF_RING
modinfo pf_ring && cat /proc/net/pf_ring/info
#If you need to uninstall PF_RING or rollback your PF_RING aware drivers to their previous state you can do so with the following commands.
dkms remove -m e1000e-pf_ring -v 1.3.10a --all
dkms remove -m e1000 -v 8.0.30 --all
dkms remove -m pf_ring -v 4 --all
|
