转载:InstallingPFRINGandnProbeonFedoraCore4(FC4)

原文：

## Install FC4.

## Install FC4 updates.

## Download Source for FC kernel

- Download source RPM for kernel running on system ("unname -r" will give

you current version)

(rpm contains vanilla kernel and FC patches).

* Instructions below are taken the from Fedora Core Release Notes about

kernel compiling

Check there for definitive information (NMJ).

- Install src with command "rpm -Uvh kernel-<version>.src.rpm" where versio

is the

version from "uname -r"

- Add Fedora patches to vanilla kernel

cd /usr/src/redhat/SPECS

rpmbuild -bp --target $(arch) kernel-2.6.spec

- Move kernel to /usr/src

mv /usr/src/redhat/BUILD/kernel-<version>/kernel-<version> /usr/src (Note:

the two kernel-<version>

cd /usr/src

ln -s ./linux-<version> linux

cd /usr/src/linux

## Installing PF_RING patches into kernel source

- Download PF_RING:

CVSROOT=:pserver:anonymous[at]cvs.ntop.org:/export/home/ntop;export CVSROOT

mkdir <directory to store PF_RING files>

cd <directory to store PF_RING files>

cvs login (password is "ntop")

cvs checkout PF_RING

cd PF_RING

- Edit mkpatch.sh so Kernel version variables equal FC4 kernel versio

created above.

i.e. if "uname -r" returns "2.6.14-1.1656_FC4", then:

VERSION=2

PATCHLEVEL=6

SUBLEVEL=14

EXTRAVERSION="-1.1656_FC4-PF_RING"

- Run "mkpatch.sh"

- Copy the compressed patch file created by mkpatch.sh in the directory

"workspace"

(i.e. linux-2.6.14-1.1656_FC4-PF_RING) to /usr/src

- Run "zcat <patch file> | patch --dry-run -p0" to test for error

- Run "zcat <patch file> | patch -p0" to apply patche

## Build Kernel

* With exception of enabling PF_RING, Instructions below are taken the

from Fedora

Core Release Notes about kernel compiling. Check there for definitive

information.

cd /usr/src/linux

Edit Makefile to set VERSION, PATCHLEVEL, and EXTRAVERSION

Run "make menuconfig"

Enable PF_RING under "Networking->Networking options".

Enable 64 GB memory support under "Processor type and features->High

Memory Support"

make

make modules_install

make install (to install kernel in /boot and make compressed ram image

(unique to FC))

Edit /boot/grub/grub.conf, set default time out to 10 seconds and change

the default boot to the new kernel.

Reboot and test that system boots new kernel successfully. You can alway

reboot and select the old

kernel from the grub loader menu if the new kernel doesn't work.

## Build PF_RING enabled libpca

- Copy /usr/src/linux/include/linux/ring.h to /usr/include/linux

(For some reason this doesn't get done when compiling the kernel).

- Compile libpfring (This is one of those new steps that was not

documented).

cd PF_RING/userland/libpfring

make

cp libpfring.a /usr/local/li

cp pfring.h /usr/local/include

- Get version of libpcap specified version of PF_RING

(Do an directory listing of PF_RING/userland to find version of libpca

to get

It's currently 0.9.4, get it at http://www.tcpdump.org ).

Untar libpcap source in PF_RING/userland

- Copy pcap-int.h and pcap-linux.c from

PF_RING/userland/libpcap<VERSION>-ring to directory

PF_RING/userland/libpcap<VERSION>.

- Use the following configure command to make sure libpcap can find the

ring librarie

./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"

- Build libpca

make

make install

(default install is into /usr/local/include and /usr/local/lib)

- cd back to PF_RING/userland/pcount. Make and run pcount to test to test

if libpcap is working.

You won't see any output until you stop the program with <CTRL-C>.

[root[at]nmj-test libpfring]# ./pcount

Capturing from eth0

(Wait a bit, and hit <CTRL-C>. You should see the following):

=========================

Absolute Stats: [19 pkts rcvd][0 pkts dropped]

Total Pkts=19/Dropped=0.0 %

19 pkts [7.8 pkt/sec] - 5159 bytes [0.02 Mbit/sec]

=========================

Actual Stats: 19 pkts [-1402903.2 ms][-0.0 pkt/sec]

=========================

[root[at]nmj-test pcount]#

## Compile nProbe to use libpcap.

- Untar nProbe

- Run "autogen.sh" (generates configure stuff, don't know why)

- ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/li

-lpfring"

(again adding -lpfring is NOT documented).

## Test running nprobe

Watch the syslog file by running "tail -f /var/log/messages"

Run nprobe

Look for the following messages in to appear in /var/log/messages:

Jan 27 14:15:47 nmj-test kernel: RING: successfully allocated 1024 KB

[tot_mem=598076][order=8]

Jan 27 14:15:47 nmj-test kernel: RING: allocated 7181 slot

[slot_len=146][tot_mem=1048576]

Jan 27 14:15:47 nmj-test kernel: device eth0 entered promiscuous mode

## Other things you may want to consider to maximize performance.

- Disable X (you can always start it by running the "startx" command).

Edit /etc/inittab and comment out inittab entry that starts.

- Disable graphical boot statu

Edit /boot/grub/grub.conf and remove "rhgb" option from grub.conf

entrie

- Shutdown all unnecessary service

- Review Firewall setting

## Check the archives for ntop-misc mailing list, there is an e-mail about

on how to

make libpcap a shared library so it can be used with other applicatio

that use libpca

(ethereal, snort).