Installation Guide For PF_RING

Installation Guide For PF_RING June 15, 2010

Below you can find an installation guide for PF_RING written by Gunjan Bansal.

 

The original blog entry can be found at this URL .

 

————-

Hi,

This is my first guide so please bear with me for any disrespencies.

 

These steps were tested on Intel Core 2 Duo machine with 4 GB Ram and  Intel(R) PRO/1000 Network Card , with Ubuntu 9.10 installed.This guide explains the installation procedure for Version 4.3.1

 

PF_RING implementation by Luca Deri is a great method for efficient Packet Capture on Commodity Hardware.It can be found on http://www.ntop.org/PF_RING.html

 

 

I made a clean install,no other packages were installed other than mentioned.

 

 

1. Uninstall libpcap and other dependent applications/library using syanptic or apt-get
2. Install subversion (For fetching latest source codes),flex and bison (Required to recompile pf_ring aware pcap),ethtool (if not preinstalled,required for some basic Nic info of your computer)
3. Use Subversion to fetch source codes
   svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/   PF_RING
4. Check your current network card/driver using ethtool
   
   ethtool -i eth0 #change eth0 to your ethernet card Sample
   driver: e1000e
   version: 1.0.2-k2
   firmware-version: 0.4-3
   bus-info: 0000:00:19.0 use man ethtool for more information on how to use ethtool As of version 4.3.1 PF_RING can be fully exploited only on the PF_RING aware device drivers.The modified device drivers for some of the popular network cards can be found in PF_RING/drivers .
   These are modified version of the drivers supplied from respective companies.(Might be a bit older sometimes but will work)
5. Unload the ethernet card driver (this is shown in the first line of output of above command
   
   sudo rmmod e1000e
6. Change current working directory to kernel cd PF_RING/kernel
7. Make the source codes make Here i had observed that many a times people(even I on first attempt)use sudo make or sudo -s , make . The former is not a correct method and will give you errors such as bounds.c missing , etc.
   Latter is also wrong but will do the job . The reason for such a thing is better explained by the difference in the command “sudo” and “sudo -s” . This can be found at http://ubuntuforums.org/showthread.php?t=983645 , or searching for “difference between sudo and sudo -s” on our favorite google
8. Now install the newly build source
   
   sudo make install
9. Change the working directory to PF_RING/userland/lib cd ../userland/lib
10. Again build the source codes make
11. Install the library (This include pfring.h) sudo make install
12. One bizarre thing that I observed is that the make install copies pfring.h to /usr/local/include but leaves the other dependent files these are :-
    • pfring_e1000e_dna.c
    • pfring_e1000e_dna.h
13. Although the function in these files are not required in much of the program, they are include in pfring.h and i don’t want to mess up with that.So we copy this to /usr/local/include . Please check this in later versions . cp pfring_e1000e_dna.c /usr/local/include
    cp pfring_e1000e_dna.h /usr/local/include
14. Now we have to compile PF_RING aware pcap library . Change the working directory to userland/libpcap-1.0.0-ring cd ../libpcap-1.0.0-ring/
15. Configure ./configure
16. Build the sources make
17. Install pf_ring aware libpcap
    sudo make install
18. Now we need to install the device driver(pf_ring aware).Change the working directory to drivers///src
    In my case it is “drivers/intel/e1000e-1.0.15/src “ cd ../../drivers/intel/e1000e-1.0.15/src
19. Build the source
    make
20. Install the driver sudo make install
21. Now we need to activate PF_RING if its not already activated . You can use lsmod to check if pf_ring is started or not.Change the working diectory to /lib/modules//kernel/net/pf_ring . cd /lib/modules/2.6.31-14-generic/kernel/net/pf_ring
    Use uname -r to get the kernel version
22. Enable PF_RING(if already enabled you can disable it using sudo rmmod pf_ring )
    
    sudo insmod pf_ring.ko transparent_mode=1 More on transparent mode can be found at http://www.ntop.org/blog/?p=56
23. Now enable to enable your driver go to /lib/modules//kernel/drivers/net/e100e cd /lib/modules/2.6.31-14-generic/kernel/drivers/net/e1000e
24. Enable the driver sudo insmod e1000e.ko
25. Now you can start working on your PF_RING application.You will have to recompile many applications such as tcpdump(modified included),network manager etc. Google for doing so

Author: lucaderi
Filed Under Category: PF_RING
Article
Comments: Comments Off