CentOS 6.6

First enable passwordless SSH
sshkeygen if you haven’t already

cat .ssh/id_rsa.pub 
 
Copy that to /root/.ssh/authorized_keys on the new system.  Then change permissions
 
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
 

#Install EPEL.
http://mirror.umd.edu/fedora/epel/6/i386/repoview/epel-release.html

sudo yum install cmake swig python-devel byacc kernel-devel libtool subversion automake make autoconf pcre-devel libpcap-devel libpcap flex bison byacc gcc gcc-c++ zlib-devel numactl numactl-devel GeoIP GeoIP-devel gperftools

# install PF_RING. Grab 6.0.2. http://sourceforge.net/projects/ntop/files/PF_RING/
#Push it over
scp PF_RING-6.0.2.tar.gz user@X.X.X.X:/home/user/

#Compile as non root.
cd pfring-svn/kernel
make && sudo make install

#Compile and install the rest as root
sudo -i
cd ../userland/lib
./configure –prefix=/opt/pfring && make && make install
cd ../libpcap-1.1.1-ring
./configure –prefix=/opt/pfring && make && make install
cd ../tcpdump-4.1.1
./configure –prefix=/opt/pfring && make && make install

#Load it
modprobe pf_ring enable_tx_capture=0 min_num_slots=32768

#NIC Settings
ifconfig eth1 down
ethtool -K eth1 gro off
ethtool -K eth1 gso off
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 tso off
ethtool -K eth1 lro off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
ethtool -s eth1 speed 1000 duplex full
ifconfig eth1 mtu 1514
ifconfig eth1 up
ifconfig eth1 promisc

#Add the lines above to /etc/rc.local

#Verification.  You should see 0 rings cause bro hasn’t been started yet.

[root@localhost ~]# modinfo pf_ring && cat /proc/net/pf_ring/info
filename:       /lib/modules/2.6.32-504.el6.x86_64/kernel/net/pf_ring/pf_ring.ko
alias:          net-pf-27
description:    Packet capture acceleration and analysis
author:         Luca Deri <deri@ntop.org>
license:        GPL
srcversion:     CE1D96764C8F88915343823
depends:
vermagic:       2.6.32-504.el6.x86_64 SMP mod_unload modversions
parm:           min_num_slots:Min number of ring slots (uint)
parm:           perfect_rules_hash_size:Perfect rules hash size (uint)
parm:           transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint)
parm:           enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint)
parm:           enable_tx_capture:Set to 1 to capture outgoing packets (uint)
parm:           enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)
parm:           enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
parm:           quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)
PF_RING Version          : 6.0.2 ($Revision: $)
Total rings              : 2

Standard (non DNA) Options
Ring slots               : 32768
Slot version             : 16
Capture TX               : No [RX only]
IP Defragment            : No
Socket Mode              : Standard
Transparent mode         : Yes [mode 0]
Total plugins            : 0
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

[root@localhost ~]# cat /var/log/messages | grep PF_RING
Jan 23 10:47:11 localhost kernel: [PF_RING] Welcome to PF_RING 6.0.2 ($Revision: $)
Jan 23 10:47:11 localhost kernel: [PF_RING] registered /proc/net/pf_ring/
Jan 23 10:47:11 localhost kernel: [PF_RING] Min # ring slots 32768
Jan 23 10:47:11 localhost kernel: [PF_RING] Slot version     16
Jan 23 10:47:11 localhost kernel: [PF_RING] Capture TX       No [RX only]
Jan 23 10:47:11 localhost kernel: [PF_RING] Transparent Mode 0
Jan 23 10:47:11 localhost kernel: [PF_RING] IP Defragment    No
Jan 23 10:47:11 localhost kernel: [PF_RING] Initialized correctly

# Install Bro as root
wget https://www.bro.org/downloads/release/bro-2.3.1.tar.gz
tar zxvf bro-2.3.1.tar.gz

export LDFLAGS=”-Wl,–no-as-needed -lrt”
export LIBS=”-lrt -lnuma”
./configure –prefix=/opt/bro231 –with-pcap=/opt/pfring && make && make install

#node.cfg example

[worker-1]
type=worker
host=10.1.1.77
interface=eth1
lb_method=pf_ring
lb_procs=2
pin_cpus=0,1

#Install PF_RING aware nic drivers.
#Find out what driver you have
ethtool -i eth1

#I have igb so i’ll compile the one in PF_RING-6.0.2/drivers/PF_RING_aware/non-ZC-drivers/intel/igb/igb-5.1.2/src/
rmmod igb
make && sudo make install

modprobe igb

#Verification
modinfo igb
filename:       /lib/modules/2.6.32-504.el6.x86_64/kernel/drivers/net/igb/igb.ko
version:        5.1.2-PF-RING-AWARE

#After multithreaded Bro is up and running:
[root@localhost ~]# cat /proc/net/pf_ring/
8031-eth1.1   8032-eth1.2   dev/          info          plugins_info  stats/
[root@localhost ~]# cat /proc/net/pf_ring/8031-eth1.1
Bound Device(s)    : eth1
Active             : 1
Breed              : Non-DNA
Sampling Rate      : 1
Capture Direction  : RX+TX
Socket Mode        : RX+TX
Appl. Name         : bro-eth1
IP Defragment      : No
BPF Filtering      : Enabled
# Sw Filt. Rules   : 0
# Hw Filt. Rules   : 0
Poll Pkt Watermark : 1
Num Poll Calls     : 1307494
Channel Id Mask    : 0xFFFFFFFF
Cluster Id         : 21
Slot Version       : 16 [6.0.2]
Min Num Slots      : 32768
Bucket Len         : 8192
Slot Len           : 8232 [bucket+header]
Tot Memory         : 269758464
Tot Packets        : 26610
Tot Pkt Lost       : 0
Tot Insert         : 26610
Tot Read           : 26610
Insert Offset      : 34814032
Remove Offset      : 34814032
TX: Send Ok        : 0
TX: Send Errors    : 0
Reflect: Fwd Ok    : 0
Reflect: Fwd Errors: 0
Num Free Slots     : 32768

For better performance, I found that using transparent mode 2 for PF_RING works best with the PF_RING aware drivers.

modprobe pf_ring enable_tx_capture=0 transparent_mode=2 min_num_slots=65535

See the PF_RING user guide for more information.
https://svn.ntop.org/svn/ntop/trunk/PF_RING/doc/UsersGuide.pdf

Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *