#Kind of a funny way to accomplish this, but it’s the only way I could get pf_ring to build and actually work.
#CentOS 6.6.
#Install EPEL.
http://mirror.umd.edu/fedora/epel/6/i386/repoview/epel-release.html
sudo yum install git swig python-devel byacc kernel-devel libtool automake make autoconf pcre-devel flex bison byacc gcc gcc-c++ zlib-devel numactl numactl-devel
If you’re using Myricom Sniffer10g, install the RPM and skip the PF_RING piece below.
# Install PF_RING. Grab 6.0.2. http://sourceforge.net/projects/ntop/files/PF_RING/
#Compile as non root.
cd pfring-svn/kernel
make && sudo make install
#Compile and install the rest as root
sudo -i
cd ../userland/lib
./configure –prefix=/opt/pfring && make && make install
cd ../libpcap-1.1.1-ring
./configure –prefix=/opt/pfring && make && make install
cd ../tcpdump-4.1.1
./configure –prefix=/opt/pfring && make && make install
#Load it
modprobe pf_ring enable_tx_capture=0 transparent_mode=2 min_num_slots=65535
#Install PF_RING aware nic drivers.
#Find out what driver you have
ethtool -i eth1
#I have e1000 so i’ll compile the one in PF_RING-6.0.2/drivers/PF_RING_aware/non-ZC-drivers/intel/e1000/e1000-8.0.35/src
#Backup the current one.
[root@localhost src]# modinfo e1000
filename: /lib/modules/2.6.32-504.el6.x86_64/kernel/drivers/net/e1000/e1000.ko
cp /lib/modules/2.6.32-504.el6.x86_64/kernel/drivers/net/e1000/e1000.ko /root/e1000.ko.backup
#Careful doing this remotely
su nonroot
cd PF_RING-6.0.2/drivers/PF_RING_aware/non-ZC-drivers/intel/e1000/e1000-8.0.35/src
make && sudo make install
exit
rmmod e1000 && modprobe e1000
#Verification. Run tcpdump from /opt/pfring and cat the info file from /proc/net/pf_ring/
/opt/pfring/sbin/tcpdump -i eth1 -w out.pcap &
cat /proc/net/pf_ring/10041-eth1.2
Bound Device(s) : eth1
Active : 1
Breed : Non-DNA
..cut..
Num Free Slots : 65535
#Moloch
Real Java 7 is recommended for large install which we have 😉
wget http://javadl.sun.com/webapps/download/AutoDL?BundleId=101459
mv AutoDL?BundleId=101459 java.rpm
rpm -ivh java.rpm
git clone https://github.com/aol/moloch.git
cd moloch
./easybutton_singlehost.sh
use PF_RING no
#Accept defaults or input how much memory you want.
#Enter config details for certs, passwords, etc.
#Then once done, kill moloch capture and viewer. You can leave elasticsearch running. We’re going to build and install moloch capture against pfring.
ps aux | grep moloch
kill whatevs
If you’re using Sniffer10g, there’s an additional step where you have to configure libpcap against /opt/snf.
cd /moloch/thirdparty/libpcap1.7.2
./configure –with-snf=/opt/snf
make && make install
Then recompile moloch.
./configure –prefix=/data/moloch –with-pfring=/opt –with-libpcap=/root/moloch-master/thirdparty/libpcap-1.7.2 –with-libnids=thirdparty/libnids-1.24 –with-yara=thirdparty/yara-1.7 –with-GeoIP=thirdparty/GeoIP-1.6.0 –with-glib2=thirdparty/glib-2.42.0
If you’re using PF_RING, just cofigure moloch against /opt/pfring.
./configure –prefix=/data/moloch –with-pfring=/opt –with-libpcap=/root/moloch-master/thirdparty/libpcap-1.7.2 –with-libnids=thirdparty/libnids-1.24 –with-yara=thirdparty/yara-1.7 –with-GeoIP=thirdparty/GeoIP-1.6.0 –with-glib2=thirdparty/glib-2.42.0
Then,
make && make install
#Start capture and viewer
/data/moloch/bin/run_capture.sh &
/data/moloch/bin/run_viewer.sh &
#Check /proc/net/pf_ring/ for a driver info file.
#Add the following to /etc/rc.local
modprobe pf_ring enable_tx_capture=0 transparent_mode=2 min_num_slots=65535
ifconfig eth1 down
ethtool -K eth1 gro off
ethtool -K eth1 gso off
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 tso off
ethtool -K eth1 lro off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
ethtool -s eth1 speed 1000 duplex full
ifconfig eth1 mtu 1514
ifconfig eth1 up
ifconfig eth1 promisc
#Add this to /etc/inittab
m1:2345:respawn:/data/moloch/bin/run_capture.sh
v1:2345:respawn:/data/moloch/bin/run_viewer.sh
#Login to https://server:8005 wtih admin:admin
####Startup scripts. I separated elasticsearch from capture/viewer. Elasticsearch takes a while to ####start up especially when you have over 64 gig of memory.
####Add these two lines to /etc/rc.local
/data/moloch/bin/run_es.sh &
/data/run_moloch.sh &
###Then create run_moloch.sh. Note I had to create a second config file for the viewer process because it didn’t like me changing the raw pcap location. Whatever.
#!/bin/sh
ulimit -l unlimited
sleep 120
# Start moloch packet capture process
cd /data/moloch/bin
/bin/rm -f /data/moloch/capture.log.old
/bin/mv /data/moloch/logs/capture.log /data/moloch/logs/capture.log.old
/data/moloch/bin/moloch-capture -c /data/moloch/etc/config.ini > /data/moloch/logs/capture.log 2>&1 &
sleep 10
# Start moloch viewer process
cd /data/moloch/viewer
/bin/rm -f /data/moloch/logs/viewer.log.old
/bin/mv /data/moloch/logs/viewer.log /data/moloch/logs/viewer.log.old
export NODE_ENV=production
exec /data/moloch/bin/node /data/moloch/viewer/viewer.js -c /data/moloch/etc/config2.ini > /data/moloch/logs/viewer.log 2>&1 &
0 Comments