CentOS 6.6
First enable passwordless SSH
sshkeygen if you haven’t already
cat .ssh/id_rsa.pub
Copy that to /root/.ssh/authorized_keys on the new system. Then change permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
#Install EPEL.
http://mirror.umd.edu/fedora/epel/6/i386/repoview/epel-release.html
sudo yum install cmake swig python-devel byacc kernel-devel libtool subversion automake make autoconf pcre-devel libpcap-devel libpcap flex bison byacc gcc gcc-c++ zlib-devel numactl numactl-devel GeoIP GeoIP-devel gperftools
# install PF_RING. Grab 6.0.2. http://sourceforge.net/projects/ntop/files/PF_RING/
#Push it over
scp PF_RING-6.0.2.tar.gz user@X.X.X.X:/home/user/
#Compile as non root.
cd pfring-svn/kernel
make && sudo make install
#Compile and install the rest as root
sudo -i
cd ../userland/lib
./configure –prefix=/opt/pfring && make && make install
cd ../libpcap-1.1.1-ring
./configure –prefix=/opt/pfring && make && make install
cd ../tcpdump-4.1.1
./configure –prefix=/opt/pfring && make && make install
#Load it
modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
#NIC Settings
ifconfig eth1 down
ethtool -K eth1 gro off
ethtool -K eth1 gso off
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 tso off
ethtool -K eth1 lro off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
ethtool -s eth1 speed 1000 duplex full
ifconfig eth1 mtu 1514
ifconfig eth1 up
ifconfig eth1 promisc
#Add the lines above to /etc/rc.local
#Verification. You should see 0 rings cause bro hasn’t been started yet.
[root@localhost ~]# modinfo pf_ring && cat /proc/net/pf_ring/info
filename: /lib/modules/2.6.32-504.el6.x86_64/kernel/net/pf_ring/pf_ring.ko
alias: net-pf-27
description: Packet capture acceleration and analysis
author: Luca Deri <deri@ntop.org>
license: GPL
srcversion: CE1D96764C8F88915343823
depends:
vermagic: 2.6.32-504.el6.x86_64 SMP mod_unload modversions
parm: min_num_slots:Min number of ring slots (uint)
parm: perfect_rules_hash_size:Perfect rules hash size (uint)
parm: transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint)
parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint)
parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint)
parm: enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)
parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
parm: quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)
PF_RING Version : 6.0.2 ($Revision: $)
Total rings : 2
Standard (non DNA) Options
Ring slots : 32768
Slot version : 16
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
[root@localhost ~]# cat /var/log/messages | grep PF_RING
Jan 23 10:47:11 localhost kernel: [PF_RING] Welcome to PF_RING 6.0.2 ($Revision: $)
Jan 23 10:47:11 localhost kernel: [PF_RING] registered /proc/net/pf_ring/
Jan 23 10:47:11 localhost kernel: [PF_RING] Min # ring slots 32768
Jan 23 10:47:11 localhost kernel: [PF_RING] Slot version 16
Jan 23 10:47:11 localhost kernel: [PF_RING] Capture TX No [RX only]
Jan 23 10:47:11 localhost kernel: [PF_RING] Transparent Mode 0
Jan 23 10:47:11 localhost kernel: [PF_RING] IP Defragment No
Jan 23 10:47:11 localhost kernel: [PF_RING] Initialized correctly
# Install Bro as root
wget https://www.bro.org/downloads/release/bro-2.3.1.tar.gz
tar zxvf bro-2.3.1.tar.gz
export LDFLAGS=”-Wl,–no-as-needed -lrt”
export LIBS=”-lrt -lnuma”
./configure –prefix=/opt/bro231 –with-pcap=/opt/pfring && make && make install
#node.cfg example
[worker-1]
type=worker
host=10.1.1.77
interface=eth1
lb_method=pf_ring
lb_procs=2
pin_cpus=0,1
#Install PF_RING aware nic drivers.
#Find out what driver you have
ethtool -i eth1
#I have igb so i’ll compile the one in PF_RING-6.0.2/drivers/PF_RING_aware/non-ZC-drivers/intel/igb/igb-5.1.2/src/
rmmod igb
make && sudo make install
modprobe igb
#Verification
modinfo igb
filename: /lib/modules/2.6.32-504.el6.x86_64/kernel/drivers/net/igb/igb.ko
version: 5.1.2-PF-RING-AWARE
#After multithreaded Bro is up and running:
[root@localhost ~]# cat /proc/net/pf_ring/
8031-eth1.1 8032-eth1.2 dev/ info plugins_info stats/
[root@localhost ~]# cat /proc/net/pf_ring/8031-eth1.1
Bound Device(s) : eth1
Active : 1
Breed : Non-DNA
Sampling Rate : 1
Capture Direction : RX+TX
Socket Mode : RX+TX
Appl. Name : bro-eth1
IP Defragment : No
BPF Filtering : Enabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0
Poll Pkt Watermark : 1
Num Poll Calls : 1307494
Channel Id Mask : 0xFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.0.2]
Min Num Slots : 32768
Bucket Len : 8192
Slot Len : 8232 [bucket+header]
Tot Memory : 269758464
Tot Packets : 26610
Tot Pkt Lost : 0
Tot Insert : 26610
Tot Read : 26610
Insert Offset : 34814032
Remove Offset : 34814032
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Num Free Slots : 32768
For better performance, I found that using transparent mode 2 for PF_RING works best with the PF_RING aware drivers.
modprobe pf_ring enable_tx_capture=0 transparent_mode=2 min_num_slots=65535
See the PF_RING user guide for more information.
https://svn.ntop.org/svn/ntop/trunk/PF_RING/doc/UsersGuide.pdf
0 Comments