PF_RING
1. PF_RING 安装A clean install, no other packages were installed other than mentioned(提到).
1. Uninstall libpcap and other dependent applications/library using apt-get
原因?
2. Install subversion(Get latest source codes)
flex and bison(Required to recompile pf_ring aware pcap)
ethtool(if not preinstalled, required for some basic Nic info of your computer)
sudo apt-get install subversion flex bison ethtool 3. Use Subversion to fetch source codes
svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/ PF_RING
[卸载本机网卡驱动]
4. Check your current network card/driver using ethtool
#change eth0 to your ethernet cardethtool -i eth0
Sample:
driver: e1000e
version: 1.0.2-k2
firmware-version: 0.4-3
bus-info: 0000:00:19.0
Note: The modified device drivers for some of the popular network cards can be found in PF_RING/drivers.
5. Unload the ethernet card driver(this is shown in the first line of output of above command)
sudo rmmod e1000e
[编译安装kernel]
6. Change current working directory to kernel
cd PF_RING/kernel
7. Make the source codes
make
8. Now install the newly build source
sudo make install
[编译安装用户态库]
9. Change the working directory to PF_RING/userland/lib
cd ../userland/lib
10. Again build the source codes
make
11. Install the library(This include pfring.h)
sudo make install
[注意] 在最新版本没有出现pfring_e1000e_dna.c和pfring_e1000e_dna.h这两个文件
12. One bizerre(奇异) thing that I observed(观察) is that the make install copies pfring.h to /usr/local/include but leaves the other dependent files these are:
1. pfring_e1000e_dna.c
2. pfring_e1000e_dna.h
13. Although the function in these files are not required in much of the program, they are include in pfring.h and i don't want to mess up with that.So we copy this to /usr/local/include.
cp pfring_e1000e_dna.c /usr/local/includecp pfring_e1000e_dna.h /usr/local/include
[编译安装PF_RING可用pcap库]
14. Now we have to compile PF_RING aware pcap library. Change the working directory to userland/libpcap-1.0.0-ring
cd ../libpcap-1.0.0-ring/
15. Configure
./configure
16. Build the sources
make
17. Install pf_ring aware(知道) libpcap
sudo make install
[安装PF_RING可用设备驱动, 选择适合本机的]
18. Now we need to install the device driver(pf_ring aware). Change the working directory to drivers///src
In my case it is "drivers/intel/e1000e-1.0.15/src"
cd ../../drivers/intel/e1000e-1.0.15/src
19. Build the source
make
20. Install the driver
sudo make install
[激活PF_RING使其加载到内核工作]
21. Now we need to activate PF_RING if its not already activated. You can use Ismod to check if pf_ring is started or not.
Change the working directory to /lib/modules//kernel/net/pf_ring
Use uname -r to get the kernel version
cd /lib/modules/2.6.31-14-generic/kernel/net/pf_ring
22. Enable PF_RING(if already enabled you can disable it using sudo rmmod pf_ring)
sudo insmod pf_ring.ko transparent_mode=1
Note:
• transparent_mode=0 (default)
Packets are received via the standard Linux interface. Any driver can use this mode.
• transparent_mode=1 (Both vanilla and PF_RING-aware drivers)
Packets are memcpy() to PF_RING and also to the standard Linux path.
• transparent_mode=2 (PF_RING -aware drivers only)
Packets are ONLY memcpy() to PF_RING and not to the standard Linux path (i.e. tcpdump won't see
anything).
The higher is the transparent_mode value, the faster it gets packet capture.
Other parameters:
• min_num_slots
Min number of ring slots (default — 4096).
• enable_tx_capture
Set to 1 to capture outgoing packets, set to 0 to disable capture outgoing packets (default — RX+TX).
• enable_ip_defrag
Set to 1 to enable IP defragmentation, only rx traffic is defragmented.
More on transparent mode can be found at http://www.ntop.org/blog/?p=56
[使驱动开始工作]
23. Now enable to enable your driver go to /lib/modules//kernel/drivers/net/e1000e
cd /lib/modules/2.6.31-14-generic/kernel/drivers/net/e1000e
24. Enable the driver
sudo insmod e1000e.ko
25. Now you can start working on your PF_RING application.
Note: You will have to recompile many applications such as tcpdump(modified included), network manager etc. Google for doing so.
2. PF_RING demo
概括来说PF_RING是即简单又有力量的技术,能够使开发者用在少量的时间里创建高速传输监控和应用。
Checking PF_RING Device Configuration
When PF_RING is activated, a new entry /proc/net/pf_ring is created.
cat /proc/net/pf_ring/info
cat /proc/net/pf_ring/plugins_info
libpfring and libpcap is necessary to link you PF_RING-enabled applications also against the -lpthread library.
使用相关命令来查看抓包情况(userland/examples)
dmesg或/var/log/messages可以看到PF_RING的信息
页:
[1]