Installing PF RING and nProbe on Fedora Core 4 (FC4)
## Install FC4.## Install FC4 updates.
## Download Source for FC kernel
- Download source RPM for kernel running on system ("unname -r" will give
you current version)
(rpm contains vanilla kernel and FC patches).
* Instructions below are taken the from Fedora Core Release Notes about
kernel compiling
Check there for definitive information (NMJ).
- Install src with command "rpm -Uvh kernel-<version>.src.rpm" where version
is the
version from "uname -r"
- Add Fedora patches to vanilla kernel
cd /usr/src/redhat/SPECS
rpmbuild -bp --target $(arch) kernel-2.6.spec
- Move kernel to /usr/src
mv /usr/src/redhat/BUILD/kernel-<version>/kernel-<version> /usr/src (Note:
the two kernel-<version>s
cd /usr/src
ln -s ./linux-<version> linux
cd /usr/src/linux
## Installing PF_RING patches into kernel source
- Download PF_RING:
CVSROOT=:pserver:anonymous[at]cvs.ntop.org:/export/home/ntop;export CVSROOT
mkdir <directory to store PF_RING files>
cd <directory to store PF_RING files>
cvs login (password is "ntop")
cvs checkout PF_RING
cd PF_RING
- Edit mkpatch.sh so Kernel version variables equal FC4 kernel version
created above.
i.e. if "uname -r" returns "2.6.14-1.1656_FC4", then:
VERSION=2
PATCHLEVEL=6
SUBLEVEL=14
EXTRAVERSION="-1.1656_FC4-PF_RING"
- Run "mkpatch.sh"
- Copy the compressed patch file created by mkpatch.sh in the directory
"workspace"
(i.e. linux-2.6.14-1.1656_FC4-PF_RING) to /usr/src
- Run "zcat <patch file> | patch --dry-run -p0" to test for errors
- Run "zcat <patch file> | patch -p0" to apply patches
## Build Kernel
* With exception of enabling PF_RING, Instructions below are taken the
from Fedora
Core Release Notes about kernel compiling. Check there for definitive
information.
cd /usr/src/linux
Edit Makefile to set VERSION, PATCHLEVEL, and EXTRAVERSION
Run "make menuconfig"
Enable PF_RING under "Networking->Networking options".
Enable 64 GB memory support under "Processor type and features->High
Memory Support"
make
make modules_install
make install (to install kernel in /boot and make compressed ram image
(unique to FC))
Edit /boot/grub/grub.conf, set default time out to 10 seconds and change
the default boot to the new kernel.
Reboot and test that system boots new kernel successfully. You can always
reboot and select the old
kernel from the grub loader menu if the new kernel doesn't work.
## Build PF_RING enabled libpcap
- Copy /usr/src/linux/include/linux/ring.h to /usr/include/linux
(For some reason this doesn't get done when compiling the kernel).
- Compile libpfring (This is one of those new steps that was not
documented).
cd PF_RING/userland/libpfring
make
cp libpfring.a /usr/local/lib
cp pfring.h /usr/local/include
- Get version of libpcap specified version of PF_RING
(Do an directory listing of PF_RING/userland to find version of libpcap
to get
It's currently 0.9.4, get it at http://www.tcpdump.org ).
Untar libpcap source in PF_RING/userland
- Copy pcap-int.h and pcap-linux.c from
PF_RING/userland/libpcap<VERSION>-ring to directory
PF_RING/userland/libpcap<VERSION>.
- Use the following configure command to make sure libpcap can find the
ring libraries
./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
- Build libpcap
make
make install
(default install is into /usr/local/include and /usr/local/lib)
- cd back to PF_RING/userland/pcount. Make and run pcount to test to test
if libpcap is working.
You won't see any output until you stop the program with <CTRL-C>.
[root[at]nmj-test libpfring]# ./pcount
Capturing from eth0
(Wait a bit, and hit <CTRL-C>. You should see the following):
=========================
Absolute Stats: [19 pkts rcvd][0 pkts dropped]
Total Pkts=19/Dropped=0.0 %
19 pkts [7.8 pkt/sec] - 5159 bytes [0.02 Mbit/sec]
=========================
Actual Stats: 19 pkts [-1402903.2 ms][-0.0 pkt/sec]
=========================
[root[at]nmj-test pcount]#
## Compile nProbe to use libpcap.
- Untar nProbe
- Run "autogen.sh" (generates configure stuff, don't know why)
- ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib
-lpfring"
(again adding -lpfring is NOT documented).
## Test running nprobe
Watch the syslog file by running "tail -f /var/log/messages"
Run nprobe
Look for the following messages in to appear in /var/log/messages:
Jan 27 14:15:47 nmj-test kernel: RING: successfully allocated 1024 KB
[tot_mem=598076][order=8]
Jan 27 14:15:47 nmj-test kernel: RING: allocated 7181 slots
[slot_len=146][tot_mem=1048576]
Jan 27 14:15:47 nmj-test kernel: device eth0 entered promiscuous mode
## Other things you may want to consider to maximize performance.
- Disable X (you can always start it by running the "startx" command).
Edit /etc/inittab and comment out inittab entry that starts.
- Disable graphical boot status
Edit /boot/grub/grub.conf and remove "rhgb" option from grub.conf
entries
- Shutdown all unnecessary services
- Review Firewall settings
## Check the archives for ntop-misc mailing list, there is an e-mail about
on how to
make libpcap a shared library so it can be used with other applications
that use libpcap
(ethereal, snort).