suricata/doc/INSTALL.PF_RING

An up to date version of this document is available online at:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING

#Install DKMS
apt-get install dkms

#We need subversion for checking out the PF_RING code we need flex and bisonfor libpcap
apt-get install subversion flex bison

#Install the debs needed for suricata.
apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-ng-dev libnet1-dev

#In the exmple we will build from the GIT repo so we will need some extra packages
apt-get install git-core automake autoconf libtool


#Go to /usr/src/ we will need to be here to build our modules
cd /usr/src/

#Checkout the PF_RING code
svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ PF_RING_CURRENT_SVN

#Create the DKMS build directory and copy files over for the main PF_RING module
mkdir /usr/src/pf_ring-4
cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/
cd /usr/src/pf_ring-4/

#Create a file called dkms.conf and place the following into the file.
nano dkms.conf

PACKAGE_NAME="pf_ring"
PACKAGE_VERSION="4"
BUILT_MODULE_NAME[0]="pf_ring"
DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/"
AUTOINSTALL="yes"

#Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04
dkms add -m pf_ring -v 4
dkms build -m pf_ring -v 4
dkms install -m pf_ring -v 4

#if you issue the following command you can see that pf_ring should now be installed as DKMS module
dkms status

#Now lets go through the steps to build a e1000e PF_RING aware driver.
mkdir /usr/src/e1000e-pf_ring-1.3.10a
cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/

#We copy this over so that DKMS can find it for driver rebuilds
cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/* /usr/src/e1000e-pf_ring-1.3.10a/
cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000e-pf_ring-1.3.10a/

#Fix the path to pf_ring.h
cd /usr/src/e1000e-pf_ring-1.3.10a/
sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' netdev.c

#Create a file called dkms.conf and place the following into the file.
nano dkms.conf

PACKAGE_NAME="e1000e-pf_ring"
PACKAGE_VERSION="1.3.10a"
BUILT_MODULE_NAME[0]="e1000e"
DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/"
AUTOINSTALL="yes"

#Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04
dkms add -m e1000e-pf_ring -v 1.3.10a
dkms build -m e1000e-pf_ring -v 1.3.10a
dkms install -m e1000e-pf_ring -v 1.3.10a

#Now lets go through the steps to build a e1000 PF_RING aware driver.
mkdir /usr/src/e1000-pf_ring-8.0.30
cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/

#We copy this over so that DKMS can find it for driver rebuilds
cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/* /usr/src/e1000-pf_ring-8.0.30
cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000-pf_ring-8.0.30

#Fix the path to pf_ring.h
cd /usr/src/e1000-pf_ring-8.0.30
sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' e1000_main.c

#Create a file called dkms.conf and place the following into the file.
nano dkms.conf

PACKAGE_NAME="e1000-pf_ring"
PACKAGE_VERSION="8.0.30"
BUILT_MODULE_NAME[0]="e1000"
DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000/"
AUTOINSTALL="yes"

dkms add -m e1000-pf_ring -v 8.0.30
dkms build -m e1000-pf_ring -v 8.0.30
dkms install -m e1000-pf_ring -v 8.0.30

#Make the dir structure to hold are PF_RING enabled userland Apps.
mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}

#Build and install the userland lib.
cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/include/linux/
cd /usr/src/PF_RING_CURRENT_SVN/userland/lib
./configure
sed -i -e 's/INSTDIR   = \${DESTDIR}\/usr\/local/INSTDIR   = \${DESTDIR}\/opt\/PF_RING/' Makefile
cp -f pfring_e1000e_dna.h /opt/PF_RING/include
make &&  make install

#Build and install the PF_RING enabled libpcap
#PF_RING enabled libpcap
cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.1.1-ring
./configure
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile.in
./configure --prefix=/opt/PF_RING && make && make install

#Build and install tcpdump using the PF_RING enabled version of libpcap
cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.1.1
./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ --enable-ipv6 && make && make install

#Pull down the latest version of suricata from the git repo and build with PF_RING support.
cd /usr/src/PF_RING_CURRENT_SVN/userland/
git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew
cd oisfnew
./autogen.sh
./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/
make && make install

#Make config and log directories for a more complete getting started see http://www.inliniac.net/blog/2010/05/10/setting-up-suricata-0-9-0-for-initial-use-on-ubuntu-lucid-10-04.html
mkdir /etc/suricata
cp suricata.yaml /etc/suricata/
cp classification.config /etc/suricata/
mkdir /var/log/suricata

#Setup options for when we intialize the module (here is the output from modinfo)
#parm:           num_slots:Number of ring slots (uint)
#parm:           transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint)
#parm:           enable_tx_capture:Set to 1 to capture outgoing packets (uint)
#parm:           enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
echo "options pf_ring transparent_mode=0 num_slots=32768 enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf

#start up suricata with PF_RING support currently these options don't have very much effect with the AutoMode but see src/runmodes.c for more more options.
/opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml

#To check the status of PF_RING
modinfo pf_ring && cat /proc/net/pf_ring/info

#If you need to uninstall PF_RING or rollback your PF_RING aware drivers to their previous state you can do so with the following commands.
dkms remove -m e1000e-pf_ring -v 1.3.10a --all
dkms remove -m e1000 -v 8.0.30 --all
dkms remove -m pf_ring -v 4 --all
Add content to ChangeLog and add links to more up to date versions of various docs. 14 years ago			`An up to date version of this document is available online at:`
			`https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING`

Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago			`#Install DKMS`
			`apt-get install dkms`

			`#We need subversion for checking out the PF_RING code we need flex and bisonfor libpcap`
Update pfring doc. 15 years ago			`apt-get install subversion flex bison`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago
			`#Install the debs needed for suricata.`
			`apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-ng-dev libnet1-dev`

			`#In the exmple we will build from the GIT repo so we will need some extra packages`
			`apt-get install git-core automake autoconf libtool`


			`#Go to /usr/src/ we will need to be here to build our modules`
			`cd /usr/src/`

			`#Checkout the PF_RING code`
			`svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ PF_RING_CURRENT_SVN`

			`#Create the DKMS build directory and copy files over for the main PF_RING module`
			`mkdir /usr/src/pf_ring-4`
			`cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/`
			`cd /usr/src/pf_ring-4/`

			`#Create a file called dkms.conf and place the following into the file.`
			`nano dkms.conf`

			`PACKAGE_NAME="pf_ring"`
			`PACKAGE_VERSION="4"`
			`BUILT_MODULE_NAME[0]="pf_ring"`
			`DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/"`
			`AUTOINSTALL="yes"`

			`#Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04`
			`dkms add -m pf_ring -v 4`
			`dkms build -m pf_ring -v 4`
			`dkms install -m pf_ring -v 4`

			`#if you issue the following command you can see that pf_ring should now be installed as DKMS module`
			`dkms status`

Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required. 15 years ago			`#Now lets go through the steps to build a e1000e PF_RING aware driver.`
			`mkdir /usr/src/e1000e-pf_ring-1.3.10a`
			`cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago
			`#We copy this over so that DKMS can find it for driver rebuilds`
Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required. 15 years ago			`cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/* /usr/src/e1000e-pf_ring-1.3.10a/`
			`cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000e-pf_ring-1.3.10a/`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago
			`#Fix the path to pf_ring.h`
Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required. 15 years ago			`cd /usr/src/e1000e-pf_ring-1.3.10a/`
			`sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' netdev.c`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago
			`#Create a file called dkms.conf and place the following into the file.`
			`nano dkms.conf`

			`PACKAGE_NAME="e1000e-pf_ring"`
Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required. 15 years ago			`PACKAGE_VERSION="1.3.10a"`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago			`BUILT_MODULE_NAME[0]="e1000e"`
			`DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/"`
			`AUTOINSTALL="yes"`

			`#Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04`
Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required. 15 years ago			`dkms add -m e1000e-pf_ring -v 1.3.10a`
			`dkms build -m e1000e-pf_ring -v 1.3.10a`
			`dkms install -m e1000e-pf_ring -v 1.3.10a`

			`#Now lets go through the steps to build a e1000 PF_RING aware driver.`
			`mkdir /usr/src/e1000-pf_ring-8.0.30`
			`cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/`

			`#We copy this over so that DKMS can find it for driver rebuilds`
			`cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/* /usr/src/e1000-pf_ring-8.0.30`
			`cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000-pf_ring-8.0.30`

			`#Fix the path to pf_ring.h`
			`cd /usr/src/e1000-pf_ring-8.0.30`
			`sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' e1000_main.c`

			`#Create a file called dkms.conf and place the following into the file.`
			`nano dkms.conf`

			`PACKAGE_NAME="e1000-pf_ring"`
			`PACKAGE_VERSION="8.0.30"`
			`BUILT_MODULE_NAME[0]="e1000"`
			`DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000/"`
			`AUTOINSTALL="yes"`

			`dkms add -m e1000-pf_ring -v 8.0.30`
			`dkms build -m e1000-pf_ring -v 8.0.30`
			`dkms install -m e1000-pf_ring -v 8.0.30`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago
			`#Make the dir structure to hold are PF_RING enabled userland Apps.`
			`mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}`

			`#Build and install the userland lib.`
			`cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/include/linux/`
			`cd /usr/src/PF_RING_CURRENT_SVN/userland/lib`
Update pfring doc. 15 years ago			`./configure`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago			`sed -i -e 's/INSTDIR = \${DESTDIR}\/usr\/local/INSTDIR = \${DESTDIR}\/opt\/PF_RING/' Makefile`
			`cp -f pfring_e1000e_dna.h /opt/PF_RING/include`
			`make && make install`

			`#Build and install the PF_RING enabled libpcap`
Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required. 15 years ago			`#PF_RING enabled libpcap`
			`cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.1.1-ring`
Small pfring doc update by Joshua White from Everis. 15 years ago			`./configure`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago			`sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile`
			`sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile.in`
			`./configure --prefix=/opt/PF_RING && make && make install`

			`#Build and install tcpdump using the PF_RING enabled version of libpcap`
Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required. 15 years ago			`cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.1.1`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago			`./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ --enable-ipv6 && make && make install`

			`#Pull down the latest version of suricata from the git repo and build with PF_RING support.`
			`cd /usr/src/PF_RING_CURRENT_SVN/userland/`
			`git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew`
			`cd oisfnew`
			`./autogen.sh`
			`./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/`
			`make && make install`

			`#Make config and log directories for a more complete getting started see http://www.inliniac.net/blog/2010/05/10/setting-up-suricata-0-9-0-for-initial-use-on-ubuntu-lucid-10-04.html`
			`mkdir /etc/suricata`
			`cp suricata.yaml /etc/suricata/`
			`cp classification.config /etc/suricata/`
			`mkdir /var/log/suricata`

			`#Setup options for when we intialize the module (here is the output from modinfo)`
			`#parm: num_slots:Number of ring slots (uint)`
			`#parm: transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint)`
			`#parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)`
			`#parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)`
			`echo "options pf_ring transparent_mode=0 num_slots=32768 enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf`

			`#start up suricata with PF_RING support currently these options don't have very much effect with the AutoMode but see src/runmodes.c for more more options.`
			`/opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml`

			`#To check the status of PF_RING`
			`modinfo pf_ring && cat /proc/net/pf_ring/info`

			`#If you need to uninstall PF_RING or rollback your PF_RING aware drivers to their previous state you can do so with the following commands.`
Support for PF_RING versions where packet passed as a reference and version 4.7.1 where pfring_enable_ring now seems to be required. 15 years ago			`dkms remove -m e1000e-pf_ring -v 1.3.10a --all`
			`dkms remove -m e1000 -v 8.0.30 --all`
Added an install doc for PF_RING to doc/INSTALL.PF_RING 16 years ago			`dkms remove -m pf_ring -v 4 --all`