suricata/doc/Installation_with_PF_RING.txt

Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING


Installation with PF RING

This is the installation guide for Suricata with PF_RING support and a guide to
install PF_RING.
To install DKMS, enter:

  sudo apt-get install dkms

To get subversion for checking out the PF_RING code, flex and bison for
libpcap, enter:

  sudo apt-get install subversion flex bison

To install the debs needed for Suricata, enter the following:

  sudo apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-
  ng-dev libnet1-dev

In the example you will build from the GIT repository, so you will need some
extra packages:

  sudo apt-get install git-core automake autoconf libtool

To build your modules, please go to:

  cd /usr/src/

Checkout the PF_RING code:

  sudo svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/
  PF_RING_CURRENT_SVN

Create the DKMS build directory and copy files over for the main PF_RING module
by entering the following:

  sudo mkdir /usr/src/pf_ring-4
  sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/
  cd /usr/src/pf_ring-4/

Create a file called 'dkms.conf'

  sudo nano dkms.conf

and place the following into the file:

  PACKAGE_NAME="pf_ring"
  PACKAGE_VERSION="4"
  BUILT_MODULE_NAME[0]="pf_ring"
  DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/"
  AUTOINSTALL="yes"

To close the file, do so by pressing Ctrl and X at the same time, followed by y
and enter.
Build and install the kernel -module of PF_RING:

  sudo dkms add -m pf_ring -v 4
  sudo dkms build -m pf_ring -v 4
  sudo dkms install -m pf_ring -v 4

development headers.(zie aantekeningen)

  sudo mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}

Next, build and install the userland lib.:

  sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/
  include/linux/
  cd /usr/src/PF_RING_CURRENT_SVN/userland/lib
  sudo ./configure
  sudo sed -i -e 's/INSTDIR   = \${DESTDIR}\/usr\/local/INSTDIR   = \$
  {DESTDIR}\/opt\/PF_RING/' Makefile
  sudo cp -f pfring_e1000e_dna.h /opt/PF_RING/include
  sudo make
  sudo make install

Enter the following to pull down the latest version of Suricata from the git
repository and build with PF_RING support:

  cd /usr/src/PF_RING_CURRENT_SVN/userland/
  sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew
  cd oisfnew
  sudo ./autogen.sh
  sudo ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib
  --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/
  PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/
  PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/
  sudo make install
  sudo make
  sudo mkdir etc/suricata

To make config and log directories for a more complete getting started, see:
Basic_Setup.

  sudo mkdir /etc/suricata
  sudo cp suricata.yaml /etc/suricata/
  sudo cp classification.config /etc/suricata/
  sudo mkdir /var/log/suricata

The information about the setup options for when you initialise the module:
min_num_slots:Number of ring slots (uint)
transparent_mode:0=standard Linux, 1=direct2pfring+transparent,
2=direct2pfring+non transparent.
For 1 and 2 you need to use a PF_RING aware driver (uint) .
enable_tx_capture:Set to 1 to capture outgoing packets (uint)
enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is
defragmentead) (uint)
Enter the following as super-user:

  echo "options pf_ring transparent_mode=0 min_num_slots=32768
  enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf

To check the status of PF_RING :

  sudo modprobe pf_ring
  sudo modinfo pf_ring && cat /proc/net/pf_ring/info

Start up Suricata with PF_RING support:

  sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --
  pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml

If you need to uninstall PF_RING or rollback your PF_RING aware drivers to
their previous state you can do so with the following commands:

  sudo dkms remove -m pf_ring -v 4 --all


Optional

The following part is optional.

  sudo dkms remove -m e1000e-pf_ring -v 1.0.15 --all

If you issue the following command, you can see that PF_RING should now be
installed as DKMS module:

  dkms status

Now go through the steps to build a PF_RING aware driver:

  sudo mkdir /usr/src/e1000e-pf_ring-1.0.15
  sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/old/e1000e-
  1.0.15/src/* /usr/src/e1000e-pf_ring-1.0.15/

Enter the following so that DKMS can find it for driver rebuilds:

  sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/
  e1000e-pf_ring-1.0.15/
  cd /usr/src/e1000e-pf_ring-1.0.15/

After that, fix the path to pf_ring.h:

  sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/
  ' netdev.c

Then create a file called 'dkms.conf'.

  sudo nano dkms.conf

and place the following into the file:

  PACKAGE_NAME="e1000e-pf_ring"
  PACKAGE_VERSION="1.0.15"
  BUILT_MODULE_NAME[0]="e1000e"
  DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/"
  AUTOINSTALL="yes"

Build and install the module of the e1000e-pf_ring network driver:

  sudo dkms add -m e1000e-pf_ring -v 1.0.15
  sudo dkms build -m e1000e-pf_ring -v 1.0.15
  sudo dkms install -m e1000e-pf_ring -v 1.0.15

After that, build and install the PF_RING enabled libpcap:

  cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.0.0-ring
  ./configure
  sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
  ' Makefile
  sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
  ' Makefile.in
  ./configure --prefix=/opt/PF_RING && make && make install

Subsequently, build and install tcpdump using the PF_RING enabled version of
libpcap:

  cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.0.0
  sudo ./configure
  sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
  ' Makefile
  sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
  ' Makefile.in
  sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/
  ' Makefile
  sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/
  ' Makefile.in
  sudo sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//
  ' Makefile
  sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//
  ' Makefile.in
  sudo ./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --
  prefix=/opt/PF_RING/ --enable-ipv6 && make && make install
Update docs from wiki 13 years ago			`Autogenerated on 2012-11-29`
Add export of wiki install docs to our doc/ dir. 14 years ago			`from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING`


			`Installation with PF RING`

			`This is the installation guide for Suricata with PF_RING support and a guide to`
			`install PF_RING.`
			`To install DKMS, enter:`

			`sudo apt-get install dkms`

			`To get subversion for checking out the PF_RING code, flex and bison for`
			`libpcap, enter:`

			`sudo apt-get install subversion flex bison`

			`To install the debs needed for Suricata, enter the following:`

			`sudo apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-`
			`ng-dev libnet1-dev`

			`In the example you will build from the GIT repository, so you will need some`
			`extra packages:`

			`sudo apt-get install git-core automake autoconf libtool`

			`To build your modules, please go to:`

			`cd /usr/src/`

			`Checkout the PF_RING code:`

			`sudo svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/`
			`PF_RING_CURRENT_SVN`

			`Create the DKMS build directory and copy files over for the main PF_RING module`
			`by entering the following:`

			`sudo mkdir /usr/src/pf_ring-4`
			`sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/`
			`cd /usr/src/pf_ring-4/`

			`Create a file called 'dkms.conf'`

			`sudo nano dkms.conf`

			`and place the following into the file:`

			`PACKAGE_NAME="pf_ring"`
			`PACKAGE_VERSION="4"`
			`BUILT_MODULE_NAME[0]="pf_ring"`
			`DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/"`
			`AUTOINSTALL="yes"`

			`To close the file, do so by pressing Ctrl and X at the same time, followed by y`
			`and enter.`
			`Build and install the kernel -module of PF_RING:`

			`sudo dkms add -m pf_ring -v 4`
			`sudo dkms build -m pf_ring -v 4`
			`sudo dkms install -m pf_ring -v 4`

			`development headers.(zie aantekeningen)`

			`sudo mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}`

			`Next, build and install the userland lib.:`

			`sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/`
			`include/linux/`
			`cd /usr/src/PF_RING_CURRENT_SVN/userland/lib`
			`sudo ./configure`
			`sudo sed -i -e 's/INSTDIR = \${DESTDIR}\/usr\/local/INSTDIR = \$`
			`{DESTDIR}\/opt\/PF_RING/' Makefile`
			`sudo cp -f pfring_e1000e_dna.h /opt/PF_RING/include`
			`sudo make`
			`sudo make install`

			`Enter the following to pull down the latest version of Suricata from the git`
			`repository and build with PF_RING support:`

			`cd /usr/src/PF_RING_CURRENT_SVN/userland/`
			`sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew`
			`cd oisfnew`
			`sudo ./autogen.sh`
			`sudo ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib`
			`--with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/`
			`PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/`
			`PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/`
			`sudo make install`
			`sudo make`
			`sudo mkdir etc/suricata`

			`To make config and log directories for a more complete getting started, see:`
			`Basic_Setup.`

			`sudo mkdir /etc/suricata`
			`sudo cp suricata.yaml /etc/suricata/`
			`sudo cp classification.config /etc/suricata/`
			`sudo mkdir /var/log/suricata`

			`The information about the setup options for when you initialise the module:`
			`min_num_slots:Number of ring slots (uint)`
			`transparent_mode:0=standard Linux, 1=direct2pfring+transparent,`
			`2=direct2pfring+non transparent.`
			`For 1 and 2 you need to use a PF_RING aware driver (uint) .`
			`enable_tx_capture:Set to 1 to capture outgoing packets (uint)`
			`enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is`
			`defragmentead) (uint)`
			`Enter the following as super-user:`

			`echo "options pf_ring transparent_mode=0 min_num_slots=32768`
			`enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf`

			`To check the status of PF_RING :`

			`sudo modprobe pf_ring`
			`sudo modinfo pf_ring && cat /proc/net/pf_ring/info`

			`Start up Suricata with PF_RING support:`

			`sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --`
			`pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml`

			`If you need to uninstall PF_RING or rollback your PF_RING aware drivers to`
			`their previous state you can do so with the following commands:`

			`sudo dkms remove -m pf_ring -v 4 --all`


			`Optional`

			`The following part is optional.`

			`sudo dkms remove -m e1000e-pf_ring -v 1.0.15 --all`

			`If you issue the following command, you can see that PF_RING should now be`
			`installed as DKMS module:`

			`dkms status`

			`Now go through the steps to build a PF_RING aware driver:`

			`sudo mkdir /usr/src/e1000e-pf_ring-1.0.15`
			`sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/old/e1000e-`
			`1.0.15/src/* /usr/src/e1000e-pf_ring-1.0.15/`

			`Enter the following so that DKMS can find it for driver rebuilds:`

			`sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/`
			`e1000e-pf_ring-1.0.15/`
			`cd /usr/src/e1000e-pf_ring-1.0.15/`

			`After that, fix the path to pf_ring.h:`

			`sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/`
			`' netdev.c`

			`Then create a file called 'dkms.conf'.`

			`sudo nano dkms.conf`

			`and place the following into the file:`

			`PACKAGE_NAME="e1000e-pf_ring"`
			`PACKAGE_VERSION="1.0.15"`
			`BUILT_MODULE_NAME[0]="e1000e"`
			`DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/"`
			`AUTOINSTALL="yes"`

			`Build and install the module of the e1000e-pf_ring network driver:`

			`sudo dkms add -m e1000e-pf_ring -v 1.0.15`
			`sudo dkms build -m e1000e-pf_ring -v 1.0.15`
			`sudo dkms install -m e1000e-pf_ring -v 1.0.15`

			`After that, build and install the PF_RING enabled libpcap:`

			`cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.0.0-ring`
			`./configure`
			`sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/`
			`' Makefile`
			`sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/`
			`' Makefile.in`
			`./configure --prefix=/opt/PF_RING && make && make install`

			`Subsequently, build and install tcpdump using the PF_RING enabled version of`
			`libpcap:`

			`cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.0.0`
			`sudo ./configure`
			`sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/`
			`' Makefile`
			`sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/`
			`' Makefile.in`
			`sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/`
			`' Makefile`
			`sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/`
			`' Makefile.in`
			`sudo sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//`
			`' Makefile`
			`sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//`
			`' Makefile.in`
			`sudo ./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --`
			`prefix=/opt/PF_RING/ --enable-ipv6 && make && make install`