CentOS7下安装 PF_RING 和 TCPDUMP

一、初始环境，为最小化安装

[root@clusternode0xa3 /]# uname -r
3.10.0-862.el7.x86_64

二、保留安装包

[root@clusternode0xa3 etc]# cp yum.conf yum.conf.old
[root@clusternode0xa3 etc]# vi yum.conf
[root@clusternode0xa3 etc]# pwd
/etc
[root@clusternode0xa3 etc]# cat yum.conf
[main]
#cachedir=/var/cache/yum/$basearch/$releasever
cachedir=/home/yumpackagees
#keepcache=0
keepcache=1
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release

[root@clusternode0xa3 /]# yum install lrzsz
[root@clusternode0xa3 /]# yum install wget
[root@clusternode0xa3 /]# yum groupinstall "Development Tools"
[[root@clusternode0xa3 /]# uname -r
3.10.0-862.el7.x86_64

重要事情说三遍，一定要重启一下

[root@clusternode0xa3 /]# reboot
[root@clusternode0xa3 /]# uname -r
3.10.0-1160.31.1.el7.x86_64
[root@clusternode0xa3 /]# rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
warning: /var/tmp/rpm-tmp.qj1QKv: Header V4 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:epel-release-7-13                ################################# [100%]

[root@clusternode0xa3 yum.repos.d]# vi pfring.repo
[root@clusternode0xa3 yum.repos.d]# pwd
/etc/yum.repos.d
[root@clusternode0xa3 yum.repos.d]# cat pfring.repo
# pf-ring repository
[pfring]
name=pfring
gpgcheck=1
gpgkey=http://packages.ntop.org/centos-stable/RPM-GPG-KEY-deri
enabled=1
baseurl=http://packages.ntop.org/centos-stable/$releasever/$basearch/
[pfring_noarch]
name=pfring_noarch
gpgcheck=1
gpgkey=http://packages.ntop.org/centos-stable/RPM-GPG-KEY-deri
enabled=1
baseurl=http://packages.ntop.org/centos-stable/$releasever/noarch/
[root@clusternode0xa3 yum.repos.d]# 

[root@clusternode0xa3 /]# yum install pfring pfring-dkms  

[root@clusternode0xa3 tcpdump]# cd /
[root@clusternode0xa3 /]# systemctl status pf_ring
● pf_ring.service - PF_RING service
   Loaded: loaded (/usr/lib/systemd/system/pf_ring.service; disabled; vendor preset: disabled)
   Active: active (exited) since Wed 2021-07-14 19:28:17 CST; 59min ago
  Process: 539 ExecStartPost=/bin/sh -c if [ -x /etc/pf_ring/post ]; then /etc/pf_ring/post; fi (code=exited, status=0/SUCCESS)
  Process: 534 ExecStartPost=/bin/sh -c /bin/echo "$(/bin/date) pf_ring StartPost" >> /var/log/ntop-systemd.log (code=exited, status=0/SUCCESS)
  Process: 428 ExecStart=/usr/local/bin/pf_ringctl start (code=exited, status=0/SUCCESS)
  Process: 425 ExecStartPre=/bin/sh -c if [ -x /etc/pf_ring/pre ]; then /etc/pf_ring/pre; fi (code=exited, status=0/SUCCESS)
  Process: 418 ExecStartPre=/bin/sh -c /bin/echo "$(/bin/date) pf_ring StartPre" >> /var/log/ntop-systemd.log (code=exited, status=0/SUCCESS)
 Main PID: 428 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/pf_ring.service

Jul 14 19:28:14 clusternode0xa3 systemd[1]: Starting PF_RING service...
Jul 14 19:28:17 clusternode0xa3 pf_ringctl[428]: Starting PF_RING module: [  OK  ]
Jul 14 19:28:17 clusternode0xa3 systemd[1]: Started PF_RING service.

 
[root@clusternode0xa3 /]# lsmod|grep pf_ring
[root@clusternode0xa3 /]# systemctl start pf_ring 
[root@clusternode0xa3 /]# lsmod|grep pf_ring     
pf_ring               726599  0 

#############################################################################

安装好了 PF_RING

三、可以尝试git方式进行安装

[root@clusternode0xa3 opt]# pwd
/opt
[root@clusternode0xa3 opt]# git clone https://github.com/ntop/PF_RING.git
Cloning into 'PF_RING'...
remote: Enumerating objects: 32028, done.
remote: Counting objects: 100% (968/968), done.
remote: Compressing objects: 100% (330/330), done.
Receiving objects:  13% (4335/32028), 7.67 MiB | 1.14 MiB/s

[root@clusternode0xa3 opt]# du -ah --max-depth=1
176M    ./PF_RING

[root@clusternode0xa3 opt]# cd PF_RING/
[root@clusternode0xa3 PF_RING]# make
cd kernel; make
make[1]: Entering directory `/opt/PF_RING/kernel'
make -C /lib/modules/3.10.0-1160.31.1.el7.x86_64/build M=/opt/PF_RING/kernel EXTRA_CFLAGS='-I/opt/PF_RING/kernel -DGIT_REV="\"dev:b6d09aadcebfff1a2270425ff543b39ad8422cda\"" -fno-pie -Wno-implicit-fallthrough' modules
make[2]: Entering directory `/usr/src/kernels/3.10.0-1160.31.1.el7.x86_64'
  CC [M]  /opt/PF_RING/kernel/pf_ring.o

[root@clusternode0xa3 PF_RING]# cd kernel/
[root@clusternode0xa3 kernel]# make
make -C /lib/modules/3.10.0-1160.31.1.el7.x86_64/build M=/opt/PF_RING/kernel EXTRA_CFLAGS='-I/opt/PF_RING/kernel -DGIT_REV="\"dev:b6d09aadcebfff1a2270425ff543b39ad8422cda\"" -fno-pie -Wno-implicit-fallthrough' modules
make[1]: Entering directory `/usr/src/kernels/3.10.0-1160.31.1.el7.x86_64'
  Building modules, stage 2.
  MODPOST 1 modules
make[1]: Leaving directory `/usr/src/kernels/3.10.0-1160.31.1.el7.x86_64' 

[root@clusternode0xa3 kernel]# make install
mkdir -p /lib/modules/3.10.0-1160.31.1.el7.x86_64/kernel/net/pf_ring
cp *.ko /lib/modules/3.10.0-1160.31.1.el7.x86_64/kernel/net/pf_ring
mkdir -p /usr/include/linux
cp linux/pf_ring.h /usr/include/linux
/sbin/depmod 3.10.0-1160.31.1.el7.x86_64 

[root@clusternode0xa3 kernel]# cat /proc/net/pf_ring/info
PF_RING Version          : 7.8.0 (7.8.0-stable:8b82799cb8a7259f5fcdf80bad1833078e592e46)
Total rings              : 0

Standard (non ZC) Options
Ring slots               : 4096
Slot version             : 18
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Cluster Fragment Queue   : 0
Cluster Fragment Discard : 0

[root@clusternode0xa3 userland]# pwd
/opt/PF_RING/userland

[root@clusternode0xa3 userland]# cd lib
[root@clusternode0xa3 lib]# ./configure && make && make install

[root@clusternode0xa3 lib]# rpm -aq libpcap
[root@clusternode0xa3 lib]# 
没有安装过libpcap
查看安装的libpcap，如果有libpcap则强制卸载

# rpm -e libpcap --nodefs

[root@clusternode0xa3 lib]# cd ../libpcap
[root@clusternode0xa3 libpcap]# pwd
/opt/PF_RING/userland/libpcap

[root@clusternode0xa3 libpcap]# ./configure && make && make install  

参考 https://www.169it.com/article/15233587523114684338.html
pf_ring会安装一个类型为27的协议簇，可以使用sock（pf_ring, sock_raw,0）打开一个socket，使用libpcap的朋友不需要修改程序，需要重新编译，链接的时候请加上libpfring.so。

启动自动加载PF_RING模块，修改/etc/modprobe.conf文件

# vi /etc/modprobe.conf

在文件的尾部增加一行 modprobe pf_ring

系统重启后内核会自动加载pf_ring模块，modprobe只能加载/lib/modules下的模块。

[root@clusternode0xa3 tcpdump]# pwd
/opt/PF_RING/userland/tcpdump
[root@clusternode0xa3 tcpdump]#./configure && make && make install  
[ -d /usr/local/share/man/man1 ] || \
    (mkdir -p /usr/local/share/man/man1; chmod 755 /usr/local/share/man/man1)
/usr/bin/install -c -m 644 tcpdump.1 /usr/local/share/man/man1/tcpdump.1

[root@clusternode0xa3 tcpdump]# tcpdump -h
tcpdump version 4.9.3
libpcap version 1.9.1 (with TPACKET_V3)
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
                [ -Q in|out|inout ]
                [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
                [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
                [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
                [ -Z user ] [ expression ]

tcpdump 安装完成