Installation with PF RING

This is the installation guide for Suricata with PF_RING support and a guide to install PF_RING.

To install DKMS, enter:

sudo apt-get install dkms

To get subversion for checking out the PF_RING code, flex and bison for libpcap, enter:

sudo apt-get install subversion flex bison

To install the debs needed for Suricata, enter the following:

sudo apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-ng-dev libnet1-dev

In the example you will build from the GIT repository, so you will need some extra packages:

sudo apt-get install git-core automake autoconf libtool

To build your modules, please go to:

cd /usr/src/

Checkout the PF_RING code:

sudo svn --force export PF_RING_CURRENT_SVN

Create the DKMS build directory and copy files over for the main PF_RING module by entering the following:

sudo mkdir /usr/src/pf_ring-4
sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/ 
cd /usr/src/pf_ring-4/ 

Create a file called 'dkms.conf'

sudo nano dkms.conf

and place the following into the file:


To close the file, do so by pressing Ctrl and X at the same time, followed by y and enter.

Build and install the kernel -module of PF_RING:

sudo dkms add -m pf_ring -v 4 
sudo dkms build -m pf_ring -v 4 
sudo dkms install -m pf_ring -v 4 

development headers.(zie aantekeningen)

sudo mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}

Next, build and install the userland lib.:

sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/include/linux/ 
cd /usr/src/PF_RING_CURRENT_SVN/userland/lib 
sudo ./configure 
sudo sed -i -e 's/INSTDIR   = \${DESTDIR}\/usr\/local/INSTDIR   = \${DESTDIR}\/opt\/PF_RING/' Makefile 
sudo cp -f pfring_e1000e_dna.h /opt/PF_RING/include 
sudo make
sudo make install 

Enter the following to pull down the latest version of Suricata from the git repository and build with PF_RING support:

cd /usr/src/PF_RING_CURRENT_SVN/userland/ 
sudo git clone git:// oisfnew 
cd oisfnew 
sudo ./ 
sudo ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ 
sudo make install 
sudo make
sudo mkdir etc/suricata

To make config and log directories for a more complete getting started, see: Basic Setup.

sudo mkdir /etc/suricata 
sudo cp suricata.yaml /etc/suricata/ 
sudo cp classification.config /etc/suricata/ 
sudo mkdir /var/log/suricata 

The information about the setup options for when you initialise the module:

min_num_slots:Number of ring slots (uint)
transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparent.

For 1 and 2 you need to use a PF_RING aware driver (uint) .
enable_tx_capture:Set to 1 to capture outgoing packets (uint)
enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)

Enter the following as super-user:

echo "options pf_ring transparent_mode=0 min_num_slots=32768 enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf

To check the status of PF_RING :

sudo modprobe pf_ring
sudo modinfo pf_ring && cat /proc/net/pf_ring/info 

Start up Suricata with PF_RING support:

sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml

If you need to uninstall PF_RING or rollback your PF_RING aware drivers to their previous state you can do so with the following commands:

sudo dkms remove -m pf_ring -v 4 --all


The following part is optional.

sudo dkms remove -m e1000e-pf_ring -v 1.0.15 --all

If you issue the following command, you can see that PF_RING should now be installed as DKMS module:

dkms status

Now go through the steps to build a PF_RING aware driver:

sudo mkdir /usr/src/e1000e-pf_ring-1.0.15 
sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/old/e1000e-1.0.15/src/* /usr/src/e1000e-pf_ring-1.0.15/ 

Enter the following so that DKMS can find it for driver rebuilds:

sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000e-pf_ring-1.0.15/ 
cd /usr/src/e1000e-pf_ring-1.0.15/ 

After that, fix the path to pf_ring.h:

sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' netdev.c

Then create a file called 'dkms.conf'.

sudo nano dkms.conf

and place the following into the file:


Build and install the module of the e1000e-pf_ring network driver:

sudo dkms add -m e1000e-pf_ring -v 1.0.15 
sudo dkms build -m e1000e-pf_ring -v 1.0.15 
sudo dkms install -m e1000e-pf_ring -v 1.0.15 

After that, build and install the PF_RING enabled libpcap:

cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.0.0-ring 
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile 
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' 
./configure --prefix=/opt/PF_RING && make && make install 

Subsequently, build and install tcpdump using the PF_RING enabled version of libpcap:

cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.0.0 
sudo ./configure 
sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile 
sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' 
sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/' Makefile 
sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/' 
sudo sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//' Makefile 
sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//' 
sudo ./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ --enable-ipv6 && make && make install