PF_RING User Guide
Linux High Speed Packet Capture
Version 1.1
January 2008
© 2004-08 ntop.org
1. Introduction
PF_RING is a high speed packet capture library that turns a commodity PC into an efficient and cheap
network measurement box suitable for both packet and active traffic analysis and manipulation.
Moreover, PF_RING opens totally new markets as it enables the creation of efficient application such as
traffic balancers or packet filters in a matter of lines of codes.
This manual is divided in two parts:
•
PF_RING installation and configuration.
•
PF_RING SDK.
1.1 What’s New with PF_RING?
•
Release 1.0 (January 2008)
•
Initial PF_RING users guide.
•
Release 1.1 (January 2008)
•
Described PF_RING plugins architecture.
PF_RING User’s Guide v.1.1
2
2. PF_RING Installation
PF_RING’s architecture is depicted in the figure below.
PF_RING User-Space Library
PF_RING
Monitoring
Application
Monitoring
Application
Monitoring
Application
Ethernet Device Driver
PF_RING
Legacy
UserlandKernel
PF_RING
The main building blocks are:
•
The accelerated kernel driver that provides low-level packet copying into the kernel PF_RINGs.
•
The user space PF_RING SDK that provides transparent PF_RING-support to user-space
applications.
When you download PF_RING you fetch the following components:
•
An automatic patch mechanism allows you to automatically patch a vanilla kernel with PF_RING.
•
The PF_RING user-space SDK.
•
An enhanced version of the libpcap library that transparently takes advantage of PF_RING if
installed, or fallback to the standard behavior if not installed.
PF_RING is downloaded by means of SVN as explained in http://www.ntop.org/PF_RING.html
PF_RING User’s Guide v.1.1
3
2.1 Linux Kernel Installation
The PF_RING source code layout is the following:
8 README 0 kernel/ 32 mkpatch.sh 0 userland/
The Linux kernel patch is performed automatically by mkpatch.sh tool. This tool downloads from the
Internet the linux kernel source and patches it. The patched kernel will be placed on a new directory
named workspace that will sit at the same level of the other PF_RING files.
Users can decide what Linux kernel version to download by modifying the following mkpatch.sh
variables:
VERSION=${VERSION:-2}
PATCHLEVEL=${PATCHLEVEL:-6}
SUBLEVEL=${SUBLEVEL:-18.4}
In the above configuration the kernel 2.6.18.4 will be downloaded.
After the kernel has been downloaded and patched, users need to compile and install the kernel as
usual. Once the kernel is installed you need to modify your boot loader (usually lilo or grub) in order to let
your system access the new kernel. Done this, you need to reboot the box and make sure you select the
kernel you just installed as default kernel.
Note that:
•
the kernel installation requires super user (root) capabilities.
•
For some Linux distributions a kernel installation/compilation package is provided.
PF_RING User’s Guide v.1.1
4
2.2 PF_RING Device Configuration
When PF_RING is activated, a new entry /proc/net/pf_ring is created.
nbox-factory:/home/deri# ls /proc/net/pf_ring/
info plugins_info
nbox-factory:/home/deri# cd /proc/net/pf_ring/
nbox-factory:/proc/net/pf_ring# cat info
Version : 3.7.5
Bucket length : 2000 bytes
Ring slots : 4096
Slot version : 9
Capture TX : Yes [RX+TX]
IP Defragment : No
Transparent mode : Yes
Total rings : 0
Total plugins : 2
nbox-factory:/proc/net/pf_ring# cat plugins_info
ID Plugin
2 sip [SIP protocol analyzer]
12 rtp [RTP protocol analyzer]
PF_RING allows users to install plugins for handling custom traffic. Those plugins are also registered in
the pf_ring /proc tree and can be listed by typing the plugins_info file.
2.3 Libpfring and Libpcap Installation
Both libpfring and libpcap are distributed in source format. They can be compiled as follows:
•
cd userland/libpfring
•
make
•
sudo make install
•
cd ../libpcap-0.9.7-ring/
•
./configure
•
make
Note that the libpfring is reentrant hence it’s necessary to link you PF_RING-enabled applications also
against the -lpthread library.
IMPORTANT
Legacy pcap-based applications need to be recompiled against the new libpcap and
linked with a PF_RING enabled libpcap.a in order to take advantage of PF_RING. Do
not expect to use PF_RING without recompiling your existing application.
PF_RING User’s Guide v.1.1
5