一、背景
Suricata支持网卡在线抓包和离线读取PCAP包两种形式的抓包:
- 离线抓包天然具有速度慢、非实时的特点
- 在线捕获数据包又包括常规网卡抓包、PF_RING和DPDK的方式
由于项目分光的流量较大, 软件自带的抓包方式并不能满足需求,因此采用了基于DPDK的Suricata在线捕获网卡数据包的方式。
二、 服务器配置与对应软件版本
操作系统:Centos7.6 1810 内核版本:3.10.0-1160.88.1.el7.x86_64 网卡信息:Intel X722 万兆光口以太网卡 DPDK版本:dpdk-19.11.14 Suricata版本:DPDK_Suricata-4.1.4
三、部署安装DPDK
基于DPDK抓包的Suricata版本只更新到4.1.4,因此对DPDK版本有要求,经过测试推荐使用 DPDK-19.11.14
DPDK官网下载地址:http://fast.dpdk.org/rel/dpdk-19.11.14.tar.gz
1、安装dpdk-19.11.14需要操作系统内核版本大于3.2,如果版本过低,可以通过以下方式升级
1 [root@ids-dpdk ~]# cat /etc/redhat-release 2 CentOS Linux release 7.6.1810 (Core) 3 [root@ids-dpdk ~]# uname -r #查看一下系统版本 4 3.10.0-957.el7.x86_64 5 [root@ids-dpdk ~]# rpm -qa kernel #通过rpm命令查看我所安装的内核版本 6 kernel-3.10.0-957.el7.x86_64 7 [root@ids-dpdk ~]# ls /usr/src/kernels/ #查看有没有相应的内核开发包 8 空 #如果该目录下没有系统内核源码,执行以下操作 9 [root@ids-dpdk ~]# yum install kernel-devel #安装内核头文件后 10 [root@ids-dpdk ~]# ls /usr/src/kernels/ 11 3.10.0-1160.88.1.el7.x86_64 12 #两个版本号不一致,进行升级并重启 13 [root@ids-dpdk ~]# yum -y update kernel kernel-devel 14 [root@ids-dpdk ~]# reboot 15 #再此查看,版本号一致,问题解决 16 [root@ids-dpdk ~]# ls /usr/src/kernels/ 17 3.10.0-1160.88.1.el7.x86_64 18 [root@ids-dpdk ~]# uname -r 19 3.10.0-1160.88.1.el7.x86_64
2、安装依赖包
sudo yum install -y gcc make sudo yum install -y libpcap libpcap-devel sudo yum install -y numactl numactl-devel sudo yum install -y pciutils
3、从dpdk官网下载dpdk压缩包并解压
将dpdk压缩包下载到/home目录下并解压 wget http://fast.dpdk.org/rel/dpdk-19.11.14.tar.gz tar -zxvf dpdk-19.11.14.tar.gz
4、DPDK编译和网卡绑定
1. 设置环境变量,命令行执行: [root@ids-dpdk ~]# export RTE_SDK='/home/dpdk-19.11.14' [root@ids-dpdk ~]# export RTE_TARGET=x86_64-native-linuxapp-gcc #(对于64位机用这个命令,对于32位机用i686-native-linuxapp-gcc) 2. 查看环境变量是否设置好: [root@ids-dpdk ~]# env |grep RTE RTE_SDK=/home/dpdk-stable-19.11.14 RTE_TARGET=x86_64-native-linuxapp-gcc 3. 关闭要绑定的网卡,否则绑定dpdk时不成功 ifconfig ens1f0 down 4. 进入到dpdk-19.11.14/usertools目录下 cd /home/dpdk-19.11.14/usertools 执行./dpdk-setup.sh 会输出一列可选操作: ------------------------------------------------------------------------------ RTE_SDK exported as /home/dpdk-stable-19.11.14 ------------------------------------------------------------------------------ ---------------------------------------------------------- Step 1: Select the DPDK environment to build ---------------------------------------------------------- [1] arm64-armada-linuxapp-gcc [2] arm64-armada-linux-gcc [3] arm64-armv8a-linuxapp-clang [4] arm64-armv8a-linuxapp-gcc [5] arm64-armv8a-linux-clang [6] arm64-armv8a-linux-gcc [7] arm64-bluefield-linuxapp-gcc [8] arm64-bluefield-linux-gcc [9] arm64-dpaa-linuxapp-gcc [10] arm64-dpaa-linux-gcc [11] arm64-emag-linuxapp-gcc [12] arm64-emag-linux-gcc [13] arm64-graviton2-linuxapp-gcc [14] arm64-graviton2-linux-gcc [15] arm64-n1sdp-linuxapp-gcc [16] arm64-n1sdp-linux-gcc [17] arm64-octeontx2-linuxapp-gcc [18] arm64-octeontx2-linux-gcc [19] arm64-stingray-linuxapp-gcc [20] arm64-stingray-linux-gcc [21] arm64-thunderx2-linuxapp-gcc [22] arm64-thunderx2-linux-gcc [23] arm64-thunderx-linuxapp-gcc [24] arm64-thunderx-linux-gcc [25] arm64-xgene1-linuxapp-gcc [26] arm64-xgene1-linux-gcc [27] arm-armv7a-linuxapp-gcc [28] arm-armv7a-linux-gcc [29] graviton2 [30] i686-native-linuxapp-gcc [31] i686-native-linuxapp-icc [32] i686-native-linux-gcc [33] i686-native-linux-icc [34] ppc_64-power8-linuxapp-gcc [35] ppc_64-power8-linux-gcc [36] x86_64-native-bsdapp-clang [37] x86_64-native-bsdapp-gcc [38] x86_64-native-freebsd-clang [39] x86_64-native-freebsd-gcc [40] x86_64-native-linuxapp-clang [41] x86_64-native-linuxapp-gcc [42] x86_64-native-linuxapp-icc [43] x86_64-native-linux-clang [44] x86_64-native-linux-gcc [45] x86_64-native-linux-icc [46] x86_x32-native-linuxapp-gcc [47] x86_x32-native-linux-gcc ---------------------------------------------------------- Step 2: Setup linux environment ---------------------------------------------------------- [48] Insert IGB UIO module [49] Insert VFIO module [50] Insert KNI module [51] Setup hugepage mappings for non-NUMA systems [52] Setup hugepage mappings for NUMA systems [53] Display current Ethernet/Baseband/Crypto device settings [54] Bind Ethernet/Baseband/Crypto device to IGB UIO module [55] Bind Ethernet/Baseband/Crypto device to VFIO module [56] Setup VFIO permissions ---------------------------------------------------------- Step 3: Run test application for linux environment ---------------------------------------------------------- [57] Run test application ($RTE_TARGET/app/test) [58] Run testpmd application in interactive mode ($RTE_TARGET/app/testpmd) ---------------------------------------------------------- Step 4: Other tools ---------------------------------------------------------- [59] List hugepage info from /proc/meminfo ---------------------------------------------------------- Step 5: Uninstall and system cleanup --------------