Installation Guide For PF_RING

Hi,

This is my first guide so please bear with me for any disrespencies.

These steps were tested on Intel Core 2 Duo machine with 4 GB Ram and  Intel(R) PRO/1000 Network Card , with Ubuntu 9.10 installed.This guide explains the installation procedure for Version 4.3.1

PF_RING implementation by Luca Deri is a great method for efficient Packet Capture on Commodity Hardware.It can be found on http://www.ntop.org/PF_RING.html

I made a clean install,no other packages were installed other than mentioned.

1. Uninstall libpcap and other dependent applications/library using syanptic or apt-get
2. Install subversion(For fetching latest source codes),flex and bison(Required to recompile pf_ring aware pcap),ethtool(if not preinstalled,required for some basic Nic info of your computer)
3. Use Subversion to fetch source codes
   svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/  PF_RING
4. Check your current network card/driver using ethtool
   
   ethtool -i eth0 #change eth0 to your ethernet card
   
   Sample
   driver: e1000e
   version: 1.0.2-k2
   firmware-version: 0.4-3
   bus-info: 0000:00:19.0
   
   
   use man ethtool for more information on how to use ethtool
   
   As of version 4.3.1 PF_RING can be fully exploited only on the PF_RING aware device drivers.The modified device drivers for some of the popular network cards can be found in PF_RING/drivers .
   These are modified version of the drivers supplied from respective companies.(Might be a bit older sometimes but will work)
5. Unload the ethernet card driver (this is shown in the first line of output of above command
   
   sudo rmmod e1000e
   
6. Change current working directory to kernel
   
   cd PF_RING/kernel
   
7. Make the source codes
   
   make
   
   Here i had observed that many a times people(even I on first attempt)use sudo make or sudo -s , make . The former is not a correct method and will give you errors such as bounds.c missing , etc.
   Latter is also wrong but will do the job . The reason for such a thing is better explained by the difference in the command "sudo" and "sudo -s" . This can be found at http://ubuntuforums.org/showthread.php?t=983645 , or searching for "difference between sudo and sudo -s" on our favorite google
8. Now install the newly build source
   
   sudo make install
   
9. Change the working directory to PF_RING/userland/lib
   
   cd ../userland/lib
   
10. Again build the source codes
    
    make
    
11. Install the library (This include pfring.h)
    
    sudo make install
    
12. One bizarre thing that I observed is that the make install copies pfring.h to /usr/local/include but leaves the other dependent files these are :-
    
    
    • pfring_e1000e_dna.c
    • pfring_e1000e_dna.h
    Although the function in these files are not required in much of the program, they are include in pfring.h and i don't want to mess up with that.So we copy this to /usr/local/include . Please check this in later versions .
    
    cp pfring_e1000e_dna.c /usr/local/include
    cp pfring_e1000e_dna.h /usr/local/include
    
13. Now we have to compile PF_RING aware pcap library . Change the working directory to userland/libpcap-1.0.0-ring
    
    cd ../libpcap-1.0.0-ring/
    
14. Configure
    
    ./configure
    
15. Build the sources
    
    make
    
16. Install pf_ring aware libpcap
    
    sudo make install
    
17. Now we need to install the device driver(pf_ring aware).Change the working directory to drivers///src
    In my case it is "drivers/intel/e1000e-1.0.15/src"
    
    cd ../../drivers/intel/e1000e-1.0.15/src
    
18. Build the source
    
    make
19. Install the driver
    
    sudo make install
    
20. Now we need to activate PF_RING if its not already activated . You can use lsmod to check if pf_ring is started or not.Change the working diectory to /lib/modules//kernel/net/pf_ring .
    
    cd /lib/modules/2.6.31-14-generic/kernel/net/pf_ring
    Use uname -r to get the kernel version
    
21. Enable PF_RING(if already enabled you can disable it using sudo rmmod pf_ring)
    
    sudo insmod pf_ring.ko transparent_mode=1
    
    More on transparent mode can be found at http://www.ntop.org/blog/?p=56
22. Now enable to enable your driver go to /lib/modules//kernel/drivers/net/e100e
    
    cd /lib/modules/2.6.31-14-generic/kernel/drivers/net/e1000e
    
23. Enable the driver
    
    sudo insmod e1000e.ko
    
24. Now you can start working on your PF_RING application.You will have to recompile many applications such as tcpdump(modified included),network manager etc. Google for doing so :)

Hoping for a positive reviews :) and comments .I l soon post the usage guide for PF_RING .